Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

8bZMO28ywp.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.530766885150198
Filename:	8bZMO28ywp.exe
Filesize:	571904
MD5:	42661ea68d2293c67cb878d88257f7f2
SHA1:	a63f14b94257e93f483fba2dc9c9338a4d487d99
SHA256:	8157fd69bd3a3259d7911729323d4fe91eb4745fdccf2b605787b956ffe8d1c2
SHA512:	1d506d5815f44a27ea65601ef7da36e912f2f00accce63532f5c793808235a187589a6bddaa12d3feddd483f0f7d9a67ebd73d7a0f5c30df34ef9dcb5ddcab9d
SSDEEP:	12288:lgP1HBOB7Nu02X6CVswMK8qDapoEts/bj9XVk2TtF2gip5/V59ihmPWjZ7hHl1H5:lgP1IB00hze
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8bZMO28ywp.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8bZMO28ywp.exe.log
Category:	dropped
Dump:	8bZMO28ywp.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\8bZMO28ywp.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\8bZMO28ywp.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.829863995979643
Encrypted:	false
Ssdeep:	6144:0bVI51mF0g9G+SFFoYe78PnnXX6uftgzitgqYxT:1XmF0g9Vl8PaufteVn1
Size:	292352
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.330114603578639
Encrypted:	false
Ssdeep:	48:MxHKlYHKh3okHafHK7HKhBHKntHo6hAHKzeEHK8THQmHKtXoPHZHjHKx1qHxLHqV:iqlYqh3okmq7qLqntI6eqzPqojqo5DqL
Size:	2545
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\8bZMO28ywp.exe

"C:\Users\user\Desktop\8bZMO28ywp.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6840
Target ID:	0
Parent PID:	2580
Name:	8bZMO28ywp.exe
Path:	C:\Users\user\Desktop\8bZMO28ywp.exe
Commandline:	"C:\Users\user\Desktop\8bZMO28ywp.exe"
Size:	571904
MD5:	42661EA68D2293C67CB878D88257F7F2
Time:	15:56:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xdc0000
Modulesize:	598016
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	4124
Target ID:	2
Parent PID:	6840
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	15:56:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x8b0000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	2004
Target ID:	1
Parent PID:	6840
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	15:56:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/+J_Z1QGHfHko0MGZi

149.154.167.99

https://t.me/

unknown

https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Contract/MSValue3ResponseD

unknown

http://tempuri.org/Contract/MSValue2Response

unknown

http://tempuri.org/

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Contract/MSValue3Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Contract/MSValue2ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://tempuri.org/Contract/MSValue1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

http://tempuri.org/Contract/MSValue2

unknown

http://tempuri.org/Contract/MSValue3

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT

unknown

http://tempuri.org/D

unknown

http://schemas.xmlsoap.org/ws/2004/06/addressingex

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

unknown

http://www.w3.o

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap

unknown

http://schemas.xmlsoap.org/ws/2002/12/policy

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue

unknown

http://tempuri.org/Contract/MSValue1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

up.nexgor.top

157.90.30.125

Details

Name:	up.nexgor.top
IP:	157.90.30.125
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

157.90.30.125

up.nexgor.top

United States

Details

IP:	157.90.30.125
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	766
ASN name:	REDIRISRedIRISAutonomousSystemES
Private:	false
Domain:	up.nexgor.top

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

402000

remote allocation

page execute and read and write

6CE8B000

unkown

page read and write

1220000

heap

page read and write

6D00000

trusted library allocation

page execute and read and write

6C60000

trusted library allocation

page execute and read and write

6906000

trusted library allocation

page read and write

6F90000

trusted library allocation

page read and write

6B9E000

stack

page read and write

11D7000

trusted library allocation

page execute and read and write

6593000

heap

page read and write

DC0000

unkown

page readonly

171F000

stack

page read and write

6C70000

heap

page read and write

11BD000

trusted library allocation

page execute and read and write

700B000

stack

page read and write

144B000

trusted library allocation

page execute and read and write

F8E000

heap

page read and write

6894000

trusted library allocation

page read and write

11D5000

trusted library allocation

page execute and read and write

126E000

stack

page read and write

6CE60000

unkown

page readonly

1414000

trusted library allocation

page read and write

632E000

stack

page read and write

6500000

trusted library allocation

page execute and read and write

5BE0000

trusted library allocation

page read and write

66F7000

heap

page read and write

675F000

trusted library allocation

page read and write

1413000

trusted library allocation

page execute and read and write

68D0000

trusted library allocation

page read and write

13D0000

heap

page read and write

5702000

heap

page read and write

DC2000

unkown

page readonly

3D36000

trusted library allocation

page read and write

6F00000

trusted library allocation

page read and write

13BE000

stack

page read and write

2C90000

heap

page execute and read and write

674D000

trusted library allocation

page read and write

6C36000

trusted library allocation

page read and write

11D2000

trusted library allocation

page read and write

15D5000

heap

page read and write

667E000

heap

page read and write

13D5000

heap

page read and write

6765000

trusted library allocation

page read and write

64F0000

trusted library allocation

page read and write

56A9000

heap

page read and write

68B9000

trusted library allocation

page read and write

51BE000

trusted library allocation

page read and write

6BC0000

trusted library allocation

page read and write

66FE000

heap

page read and write

3258000

trusted library allocation

page read and write

2C2C000

stack

page read and write

6C20000

trusted library allocation

page read and write

18C0000

heap

page read and write

1447000

trusted library allocation

page execute and read and write

6B1E000

stack

page read and write

6510000

heap

page execute and read and write

FEA000

stack

page read and write

1410000

trusted library allocation

page read and write

1210000

trusted library allocation

page read and write

6770000

trusted library allocation

page read and write

65A3000

heap

page read and write

5850000

heap

page execute and read and write

6737000

heap

page read and write

68BD000

trusted library allocation

page read and write

6562000

heap

page read and write

5BCE000

stack

page read and write

2C6E000

stack

page read and write

11A4000

trusted library allocation

page read and write

3CF5000

trusted library allocation

page read and write

11D0000

trusted library allocation

page read and write

5790000

trusted library section

page read and write

11B0000

trusted library allocation

page read and write

819E000

stack

page read and write

AEF0000

trusted library allocation

page execute and read and write

E4E000

stack

page read and write

6740000

trusted library allocation

page read and write

1330000

trusted library allocation

page read and write

5BF0000

trusted library allocation

page execute and read and write

642F000

stack

page read and write

4A55000

trusted library allocation

page read and write

14D0000

heap

page read and write

51F0000

heap

page read and write

1440000

trusted library allocation

page read and write

6D10000

trusted library allocation

page read and write

2D0E000

trusted library allocation

page read and write

4DCD000

stack

page read and write

6860000

trusted library allocation

page read and write

64B0000

trusted library allocation

page read and write

68DB000

trusted library allocation

page read and write

64F3000

trusted library allocation

page read and write

3251000

trusted library allocation

page read and write

EEC000

stack

page read and write

6596000

heap

page read and write

5860000

trusted library allocation

page read and write

66E8000

heap

page read and write

1250000

heap

page read and write

323E000

stack

page read and write

1547000

heap

page read and write

1044000

heap

page read and write

5BD0000

trusted library allocation

page execute and read and write

F70000

heap

page read and write

1007000

heap

page read and write

1340000

heap

page read and write

3CE8000

trusted library allocation

page read and write

2D1F000

trusted library allocation

page read and write

580E000

stack

page read and write

534E000

stack

page read and write

15E4000

heap

page read and write

518E000

stack

page read and write

1424000

trusted library allocation

page read and write

5190000

trusted library allocation

page read and write

56B2000

heap

page read and write

1460000

trusted library allocation

page read and write

64A0000

trusted library allocation

page read and write

584D000

stack

page read and write

561D000

trusted library allocation

page read and write

102E000

heap

page read and write

11F0000

trusted library allocation

page read and write

F9A000

heap

page read and write

6880000

trusted library allocation

page read and write

6B5E000

stack

page read and write

1400000

trusted library allocation

page read and write

6654000

heap

page read and write

6528000

trusted library allocation

page read and write

6850000

trusted library allocation

page read and write

6731000

heap

page read and write

9E0000

heap

page read and write

6677000

heap

page read and write

68A8000

trusted library allocation

page read and write

1014000

heap

page read and write

158B000

heap

page read and write

66C4000

heap

page read and write

684E000

stack

page read and write

6480000

trusted library allocation

page read and write

829E000

stack

page read and write

137E000

stack

page read and write

1330000

heap

page read and write

68AE000

trusted library allocation

page read and write

41E000

remote allocation

page execute and read and write

5761000

heap

page read and write

FF9000

heap

page read and write

514D000

stack

page read and write

E55000

heap

page read and write

6470000

trusted library allocation

page read and write

6579000

heap

page read and write

116F000

stack

page read and write

51A1000

trusted library allocation

page read and write

66AC000

heap

page read and write

687B000

trusted library allocation

page read and write

1554000

heap

page read and write

6490000

trusted library allocation

page execute and read and write

1310000

heap

page read and write

11AD000

trusted library allocation

page execute and read and write

7553000

heap

page read and write

5601000

trusted library allocation

page read and write

51E3000

heap

page execute and read and write

6745000

trusted library allocation

page read and write

11A3000

trusted library allocation

page execute and read and write

3CE2000

trusted library allocation

page read and write

573A000

heap

page read and write

68BF000

trusted library allocation

page read and write

57CD000

stack

page read and write

671F000

heap

page read and write

65EA000

heap

page read and write

325C000

trusted library allocation

page read and write

E50000

heap

page read and write

1200000

trusted library allocation

page execute and read and write

64F6000

trusted library allocation

page read and write

51C1000

trusted library allocation

page read and write

66CD000

heap

page read and write

14B0000

trusted library allocation

page execute and read and write

689B000

trusted library allocation

page read and write

5767000

heap

page read and write

7A7E000

stack

page read and write

6ED0000

trusted library allocation

page execute and read and write

6540000

heap

page read and write

6CEA8000

unkown

page readonly

68E0000

trusted library allocation

page read and write

3D43000

trusted library allocation

page read and write

676F000

trusted library allocation

page read and write

6608000

heap

page read and write

100D000

heap

page read and write

11C0000

trusted library allocation

page read and write

151E000

stack

page read and write

101E000

heap

page read and write

680D000

stack

page read and write

68C5000

trusted library allocation

page read and write

6870000

trusted library allocation

page read and write

6CE84000

unkown

page readonly

2CB0000

trusted library allocation

page read and write

FF8B0000

trusted library allocation

page execute and read and write

5670000

heap

page read and write

F5E000

stack

page read and write

14AE000

stack

page read and write

1562000

heap

page read and write

578F000

stack

page read and write

8FA0000

heap

page read and write

55EE000

stack

page read and write

5631000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

152E000

heap

page read and write

3CD1000

trusted library allocation

page read and write

65E0000

heap

page read and write

18E0000

heap

page read and write

51B2000

trusted library allocation

page read and write

519B000

trusted library allocation

page read and write

53EF000

stack

page read and write

6C30000

trusted library allocation

page read and write

6EC0000

trusted library allocation

page read and write

2BEF000

stack

page read and write

6C10000

trusted library allocation

page read and write

65D4000

heap

page read and write

5610000

trusted library allocation

page read and write

E4E000

unkown

page readonly

7A3E000

stack

page read and write

3CEE000

trusted library allocation

page read and write

68A4000

trusted library allocation

page read and write

11A0000

trusted library allocation

page read and write

2D1B000

trusted library allocation

page read and write

CF8000

stack

page read and write

9F0000

heap

page read and write

134E000

heap

page read and write

318E000

stack

page read and write

2D06000

trusted library allocation

page read and write

3145000

trusted library allocation

page read and write

11C6000

trusted library allocation

page execute and read and write

6891000

trusted library allocation

page read and write

1016000

heap

page read and write

68D9000

trusted library allocation

page read and write

181F000

stack

page read and write

51D0000

trusted library allocation

page read and write

56E7000

heap

page read and write

7540000

heap

page read and write

6520000

trusted library allocation

page read and write

1520000

heap

page read and write

6695000

heap

page read and write

1528000

heap

page read and write

6FC0000

heap

page read and write

6C40000

trusted library allocation

page execute and read and write

5870000

trusted library allocation

page read and write

1190000

trusted library allocation

page read and write

14C0000

heap

page execute and read and write

11DB000

trusted library allocation

page execute and read and write

6F60000

trusted library allocation

page execute and read and write

6758000

trusted library allocation

page read and write

5C00000

trusted library allocation

page read and write

6C50000

trusted library allocation

page execute and read and write

1346000

heap

page read and write

55F0000

trusted library allocation

page read and write

3CF1000

trusted library allocation

page read and write

97C000

stack

page read and write

68F0000

trusted library allocation

page read and write

E0E000

stack

page read and write

15E1000

heap

page read and write

3147000

trusted library allocation

page read and write

2CBA000

trusted library allocation

page read and write

6BE0000

trusted library allocation

page execute and read and write

5200000

heap

page read and write

5617000

trusted library allocation

page read and write

689F000

trusted library allocation

page read and write

103D000

heap

page read and write

2CB5000

trusted library allocation

page read and write

2CD1000

trusted library allocation

page read and write

68B1000

trusted library allocation

page read and write

6900000

trusted library allocation

page read and write

7ABE000

stack

page read and write

51A6000

trusted library allocation

page read and write

8FB6000

heap

page read and write

2CC0000

heap

page read and write

134A000

heap

page read and write

64C0000

trusted library allocation

page read and write

15F3000

heap

page read and write

64E0000

trusted library allocation

page read and write

1420000

trusted library allocation

page read and write

31EE000

stack

page read and write

6530000

trusted library allocation

page read and write

4251000

trusted library allocation

page read and write

676A000

trusted library allocation

page read and write

1050000

heap

page read and write

6565000

heap

page read and write

5640000

heap

page read and write

57A0000

trusted library allocation

page read and write

1278000

trusted library allocation

page read and write

51E0000

heap

page execute and read and write

6533000

trusted library allocation

page read and write

65B0000

heap

page read and write

2D5F000

trusted library allocation

page read and write

3CDB000

trusted library allocation

page read and write

67A0000

trusted library allocation

page read and write

6749000

trusted library allocation

page read and write

68C2000

trusted library allocation

page read and write

6790000

trusted library allocation

page execute and read and write

7CDE000

stack

page read and write

1005000

heap

page read and write

3D3F000

trusted library allocation

page read and write

3EEF000

trusted library allocation

page read and write

64D0000

trusted library allocation

page execute and read and write

3240000

heap

page read and write

3191000

trusted library allocation

page read and write

68B6000

trusted library allocation

page read and write

6CE61000

unkown

page execute read

6BD0000

trusted library allocation

page execute and read and write

54EE000

stack

page read and write

FAB000

heap

page read and write

31A0000

trusted library allocation

page read and write

6EBF000

stack

page read and write

6780000

trusted library allocation

page execute and read and write

11C2000

trusted library allocation

page read and write

6550000

heap

page read and write

154C000

heap

page read and write

652B000

trusted library allocation

page read and write

There are 301 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
8bZMO28ywp.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report8bZMO28ywp.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
8bZMO28ywp.exe