Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

CCdaw0qbbo.exe

PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	6.512175229216102
Filename:	CCdaw0qbbo.exe
Filesize:	566784
MD5:	1c7fa29f87c23abfa490a5e8909a310a
SHA1:	35c09cc093085c3924cab4c34572387d920ac185
SHA256:	3e0b58b606aeb4cbf53aa42f471ae31960309cb01e2a3872b1db400c9694012b
SHA512:	5fce78d4a06352a5937b14b4a877be7a32874fc27e0f5dc409a1bddcd5526e534cf3f416a58b8e4de0a559043b0be4bfb57146b1682ba33806f47141b1cdb5dd
SSDEEP:	12288:+CFjaM7SlWi+CqGndxB0T7JfdI0n3cTS+T54zfR2x/a/A2vz4UTKZLmRmV/MeiWE:+CtaM7kN+v4Fk7JfwuP
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Found malware configuration	AV Detection
Malicious sample detected (through community Yara rule)	System Summary
Multi AV Scanner detection for submitted file	AV Detection
.NET source code contains potential unpacker	Data Obfuscation	Software Packing
.NET source code contains very large array initializations	System Summary	Disable or Modify Tools
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion
Contains functionality to inject code into remote processes	HIPS / PFW / Operating System Protection Evasion
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Machine Learning detection for sample	AV Detection
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains functionality to call native functions	System Summary
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to query CPU information (cpuid)	Language, Device and Operating System Detection	System Information Discovery
Contains functionality which may be used to detect a debugger (GetProcessHeap)	Anti Debugging
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Found potential string decryption / allocating functions	System Summary	Deobfuscate/Decode Files or Information
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Yara signature match	System Summary
.NET source code contains long base64-encoded strings	System Summary	Disable or Modify Tools Obfuscated Files or Information
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Reads software policies	System Summary
Sample is known by Antivirus	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CCdaw0qbbo.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CCdaw0qbbo.exe.log
Category:	dropped
Dump:	CCdaw0qbbo.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\CCdaw0qbbo.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	4.0050635535766075
Encrypted:	false
Ssdeep:	3:QHXMKa/xwwUy:Q3La/xwQ
Size:	42
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\d3d9.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Roaming\d3d9.dll
Category:	dropped
Dump:	d3d9.dll.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\CCdaw0qbbo.exe
Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy:	6.836363651510998
Encrypted:	false
Ssdeep:	3072:kU1shOBTvlH9UMVT2fCX2OqpPIveuW5qi1VJnzMEUAmC23LCGch20f6XgKmv9/Pa:EhyvldhVUCGOKF1fMEkbRU2Nmv9tH
Size:	286208
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Drops PE files	Persistence and Installation Behavior
Found dropped PE file which has not been started or loaded	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
Category:	dropped
Dump:	MSBuild.exe.log.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	5.330114603578639
Encrypted:	false
Ssdeep:	48:MxHKlYHKh3okHafHK7HKhBHKntHo6hAHKzeEHK8THQmHKtXoPHZHjHKx1qHDJHxQ:iqlYqh3okmq7qLqntI6eqzPqojqo5DqD
Size:	2545
Whitelisted:	false
Reputation:	low

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\CCdaw0qbbo.exe

"C:\Users\user\Desktop\CCdaw0qbbo.exe"

Details

Is windows:	false
Is dropped:	false
PID:	6788
Target ID:	0
Parent PID:	2580
Name:	CCdaw0qbbo.exe
Path:	C:\Users\user\Desktop\CCdaw0qbbo.exe
Commandline:	"C:\Users\user\Desktop\CCdaw0qbbo.exe"
Size:	566784
MD5:	1C7FA29F87C23ABFA490A5E8909A310A
Time:	19:36:51
Date:	26/07/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x480000
Modulesize:	589824
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AntiVM3	Malware Analysis System Evasion
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7060
Target ID:	2
Parent PID:	6788
Name:	MSBuild.exe
Class:	system-tools
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Size:	262432
MD5:	8FDF47E0FF70C40ED3A17014AEEA4232
Time:	19:36:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x910000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RedLine Stealer	Stealing of Sensitive Information, Remote Access Functionality
Allocates memory in foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Writes to foreign memory regions	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Yara detected Credential Stealer	Stealing of Sensitive Information
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6808
Target ID:	1
Parent PID:	6788
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	19:36:52
Date:	26/07/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://t.me/+J_Z1QGHfHko0MGZi

149.154.167.99

https://t.me/

unknown

https://t.me/+J_Z1QGHfHko0MGZi*https://steamcommunity.com/id/elcadillac

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary

unknown

http://tempuri.org/Contract/MSValue3ResponseD

unknown

http://tempuri.org/Contract/MSValue2Response

unknown

http://tempuri.org/

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1

unknown

http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret

unknown

http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/fault

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey

unknown

https://api.ip.sb/ip

unknown

http://schemas.xmlsoap.org/ws/2004/04/sc

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1

unknown

http://tempuri.org/Contract/MSValue3Response

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce

unknown

http://tempuri.org/Contract/MSValue2ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/faultD

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Renew

unknown

http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT

unknown

http://schemas.xmlsoap.org/ws/2006/02/addressingidentity

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1

unknown

http://tempuri.org/Contract/MSValue1

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust

unknown

http://tempuri.org/Contract/MSValue2

unknown

http://tempuri.org/Contract/MSValue3

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT

unknown

http://tempuri.org/D

unknown

http://schemas.xmlsoap.org/ws/2004/06/addressingex

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey

unknown

http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ

unknown

http://www.w3.o

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

unknown

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault

unknown

http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel

unknown

http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT

unknown

http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1

unknown

http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous

unknown

http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap

unknown

http://schemas.xmlsoap.org/ws/2002/12/policy

unknown

http://schemas.xmlsoap.org/ws/2005/02/sc/dk

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue

unknown

http://tempuri.org/Contract/MSValue1ResponseD

unknown

http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue

unknown

http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit

unknown

http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/Issue

unknown

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

unknown

There are 90 hidden URLs, click here to show them.

Domains

Name

Malicious

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
C2 URLs / IPs found in malware configuration	Networking	Application Layer Protocol
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
HTTP GET or POST without a user agent	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

up.nexgor.top

157.90.30.125

Details

Name:	up.nexgor.top
IP:	157.90.30.125
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

Domain

Country

Malicious

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Silenttrinity Stager Msbuild Activity	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

157.90.30.125

up.nexgor.top

United States

Details

IP:	157.90.30.125
TargetID:	2
Current Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	766
ASN name:	REDIRISRedIRISAutonomousSystemES
Private:	false
Domain:	up.nexgor.top

Signature Hits	Behavior Group	Mitre Attack
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS

FileDirectory

There are 5 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

6E37A000

unkown

page read and write

402000

remote allocation

page execute and read and write

67D0000

trusted library allocation

page read and write

F42000

trusted library allocation

page read and write

6710000

trusted library allocation

page read and write

2583000

trusted library allocation

page execute and read and write

1340000

heap

page read and write

68FB000

trusted library allocation

page read and write

106B000

heap

page read and write

83DE000

stack

page read and write

A20000

heap

page read and write

6D80000

trusted library allocation

page read and write

679D000

trusted library allocation

page read and write

2E26000

trusted library allocation

page read and write

F80000

trusted library allocation

page read and write

3DF1000

trusted library allocation

page read and write

64A0000

trusted library allocation

page read and write

1010000

trusted library allocation

page execute and read and write

572A000

heap

page read and write

F2D000

trusted library allocation

page execute and read and write

B80000

heap

page read and write

7020000

trusted library allocation

page execute and read and write

68F0000

trusted library allocation

page read and write

586E000

stack

page read and write

1078000

heap

page read and write

5C30000

trusted library allocation

page execute and read and write

6544000

heap

page read and write

1109000

heap

page read and write

6939000

trusted library allocation

page read and write

6517000

heap

page read and write

10D8000

heap

page read and write

F3D000

trusted library allocation

page execute and read and write

F52000

trusted library allocation

page read and write

92C9000

trusted library allocation

page read and write

937000

heap

page read and write

7A70000

trusted library allocation

page execute and read and write

9261000

trusted library allocation

page read and write

2DB1000

trusted library allocation

page read and write

FF0F0000

trusted library allocation

page execute and read and write

6519000

heap

page read and write

6730000

trusted library allocation

page execute and read and write

58AE000

stack

page read and write

910000

heap

page read and write

3E15000

trusted library allocation

page read and write

6916000

trusted library allocation

page read and write

2DB6000

trusted library allocation

page read and write

678B000

trusted library allocation

page read and write

6E373000

unkown

page readonly

67C0000

trusted library allocation

page read and write

2DE0000

heap

page execute and read and write

2594000

trusted library allocation

page read and write

6925000

trusted library allocation

page read and write

686D000

stack

page read and write

10D1000

heap

page read and write

93C000

heap

page read and write

5240000

heap

page read and write

65B6000

heap

page read and write

2DF1000

trusted library allocation

page read and write

6800000

trusted library allocation

page read and write

6C36000

trusted library allocation

page read and write

10E3000

heap

page read and write

3E5D000

trusted library allocation

page read and write

6B4E000

stack

page read and write

10F5000

heap

page read and write

58D0000

trusted library allocation

page read and write

67F0000

trusted library allocation

page execute and read and write

68B3000

trusted library allocation

page read and write

65CA000

heap

page read and write

8FD0000

heap

page read and write

F70000

heap

page read and write

636E000

stack

page read and write

482000

unkown

page readonly

56A0000

heap

page read and write

E20000

heap

page read and write

100C000

stack

page read and write

562E000

stack

page read and write

68C0000

trusted library allocation

page read and write

6788000

trusted library allocation

page read and write

6C8E000

stack

page read and write

27A8000

trusted library allocation

page read and write

6582000

heap

page read and write

68E0000

trusted library allocation

page read and write

579A000

heap

page read and write

2570000

trusted library allocation

page read and write

6696000

heap

page read and write

6795000

trusted library allocation

page read and write

6790000

trusted library allocation

page read and write

6CA0000

trusted library allocation

page execute and read and write

E40000

heap

page read and write

64F6000

heap

page read and write

5C40000

trusted library allocation

page read and write

952000

heap

page read and write

B7E000

stack

page read and write

5635000

trusted library allocation

page read and write

3FA5000

trusted library allocation

page read and write

6740000

trusted library allocation

page read and write

8FE6000

heap

page read and write

650A000

heap

page read and write

37A1000

trusted library allocation

page read and write

6E351000

unkown

page execute read

2E3B000

trusted library allocation

page read and write

B3E000

stack

page read and write

2BE0000

heap

page read and write

1121000

heap

page read and write

2D6D000

stack

page read and write

67BF000

trusted library allocation

page read and write

2681000

trusted library allocation

page read and write

6756000

trusted library allocation

page read and write

659F000

heap

page read and write

6700000

trusted library allocation

page read and write

6C90000

trusted library allocation

page read and write

10C9000

heap

page read and write

4E8E000

stack

page read and write

67AF000

trusted library allocation

page read and write

690E000

trusted library allocation

page read and write

4EED000

stack

page read and write

552E000

stack

page read and write

66DF000

heap

page read and write

2DAB000

trusted library allocation

page read and write

6504000

heap

page read and write

582D000

stack

page read and write

8105000

trusted library allocation

page read and write

4D40000

trusted library section

page read and write

567D000

trusted library allocation

page read and write

5640000

trusted library allocation

page read and write

6FA0000

trusted library allocation

page read and write

64F0000

heap

page read and write

2590000

trusted library allocation

page read and write

5661000

trusted library allocation

page read and write

F24000

trusted library allocation

page read and write

6922000

trusted library allocation

page read and write

41E000

remote allocation

page execute and read and write

918000

heap

page read and write

6490000

trusted library allocation

page read and write

3E02000

trusted library allocation

page read and write

A5E0000

trusted library allocation

page execute and read and write

2E3F000

trusted library allocation

page read and write

59C000

stack

page read and write

4CEE000

stack

page read and write

1114000

heap

page read and write

1040000

heap

page read and write

F30000

trusted library allocation

page read and write

10CE000

heap

page read and write

6911000

trusted library allocation

page read and write

2DA0000

trusted library allocation

page read and write

1030000

trusted library allocation

page read and write

693B000

trusted library allocation

page read and write

6670000

heap

page read and write

68F4000

trusted library allocation

page read and write

3E61000

trusted library allocation

page read and write

6480000

trusted library allocation

page read and write

542E000

stack

page read and write

75AE000

heap

page read and write

6DB0000

trusted library allocation

page execute and read and write

5764000

heap

page read and write

3E54000

trusted library allocation

page read and write

5732000

heap

page read and write

2CEF000

stack

page read and write

F20000

trusted library allocation

page read and write

6F50000

trusted library allocation

page read and write

6FC0000

heap

page read and write

8FA000

stack

page read and write

10BF000

heap

page read and write

646E000

stack

page read and write

9CE000

heap

page read and write

6E397000

unkown

page readonly

5677000

trusted library allocation

page read and write

D40000

heap

page read and write

1020000

trusted library allocation

page read and write

133E000

stack

page read and write

4C80000

heap

page read and write

6C40000

trusted library allocation

page execute and read and write

730E000

stack

page read and write

6679000

heap

page read and write

27A1000

trusted library allocation

page read and write

6904000

trusted library allocation

page read and write

65A3000

heap

page read and write

25B0000

trusted library allocation

page read and write

2E7F000

trusted library allocation

page read and write

400000

remote allocation

page execute and read and write

6908000

trusted library allocation

page read and write

25D0000

trusted library allocation

page read and write

58C0000

trusted library allocation

page read and write

5230000

heap

page read and write

2DCE000

trusted library allocation

page read and write

4D50000

trusted library allocation

page read and write

10D4000

heap

page read and write

1346000

heap

page read and write

C8F000

stack

page read and write

1105000

heap

page read and write

91E000

heap

page read and write

2BCE000

stack

page read and write

9B1000

heap

page read and write

9C6000

heap

page read and write

6B50000

trusted library allocation

page read and write

F55000

trusted library allocation

page execute and read and write

67B5000

trusted library allocation

page read and write

3E0E000

trusted library allocation

page read and write

67C3000

trusted library allocation

page read and write

10BC000

heap

page read and write

65D8000

heap

page read and write

2D90000

heap

page execute and read and write

66F0000

trusted library allocation

page execute and read and write

2E2E000

trusted library allocation

page read and write

6D90000

trusted library allocation

page execute and read and write

7A6E000

stack

page read and write

10E0000

heap

page read and write

68D0000

trusted library allocation

page read and write

2B6E000

stack

page read and write

111D000

heap

page read and write

E45000

heap

page read and write

6D70000

trusted library allocation

page read and write

A25000

heap

page read and write

CF7000

stack

page read and write

1048000

heap

page read and write

6570000

heap

page read and write

68B0000

trusted library allocation

page read and write

97B000

heap

page read and write

6F4E000

stack

page read and write

F57000

trusted library allocation

page execute and read and write

652E000

heap

page read and write

68AE000

stack

page read and write

2D93000

heap

page execute and read and write

400F000

trusted library allocation

page read and write

6753000

trusted library allocation

page read and write

6602000

heap

page read and write

65E3000

heap

page read and write

653A000

heap

page read and write

5630000

trusted library allocation

page read and write

6780000

trusted library allocation

page read and write

F23000

trusted library allocation

page execute and read and write

493E000

stack

page read and write

6F60000

trusted library allocation

page execute and read and write

6566000

heap

page read and write

6C20000

trusted library allocation

page read and write

6692000

heap

page read and write

9DC000

stack

page read and write

56D0000

heap

page read and write

6DA0000

trusted library allocation

page execute and read and write

25B7000

trusted library allocation

page execute and read and write

F50000

trusted library allocation

page read and write

2690000

heap

page read and write

A10000

heap

page read and write

75C8000

heap

page read and write

67BA000

trusted library allocation

page read and write

3E08000

trusted library allocation

page read and write

7570000

heap

page read and write

563A000

trusted library allocation

page read and write

5691000

trusted library allocation

page read and write

6521000

heap

page read and write

2B2E000

stack

page read and write

7580000

heap

page read and write

123E000

stack

page read and write

6799000

trusted library allocation

page read and write

2DC2000

trusted library allocation

page read and write

267E000

stack

page read and write

ECE000

stack

page read and write

FCE000

stack

page read and write

6930000

trusted library allocation

page read and write

57C6000

heap

page read and write

7588000

heap

page read and write

5650000

trusted library allocation

page read and write

9DA000

heap

page read and write

700B000

stack

page read and write

84DF000

stack

page read and write

6E350000

unkown

page readonly

900000

heap

page read and write

6919000

trusted library allocation

page read and write

67A8000

trusted library allocation

page read and write

3DFB000

trusted library allocation

page read and write

67E0000

trusted library allocation

page execute and read and write

6760000

trusted library allocation

page execute and read and write

263E000

stack

page read and write

6770000

heap

page execute and read and write

134E000

heap

page read and write

F5B000

trusted library allocation

page execute and read and write

25BB000

trusted library allocation

page execute and read and write

6C10000

trusted library allocation

page read and write

6720000

trusted library allocation

page read and write

66EE000

heap

page read and write

2D2E000

stack

page read and write

25E0000

trusted library allocation

page execute and read and write

6470000

trusted library allocation

page execute and read and write

4CA0000

trusted library allocation

page read and write

6623000

heap

page read and write

D8F000

stack

page read and write

80EC000

trusted library allocation

page read and write

F10000

trusted library allocation

page read and write

4D80000

heap

page execute and read and write

480000

unkown

page readonly

5670000

trusted library allocation

page read and write

6DC0000

heap

page read and write

657A000

heap

page read and write

68FF000

trusted library allocation

page read and write

6750000

trusted library allocation

page read and write

2584000

trusted library allocation

page read and write

691D000

trusted library allocation

page read and write

F46000

trusted library allocation

page execute and read and write

6C30000

trusted library allocation

page read and write

ED0000

heap

page read and write

F40000

trusted library allocation

page read and write

57B2000

heap

page read and write

279E000

stack

page read and write

6645000

heap

page read and write

5C2E000

stack

page read and write

25F0000

heap

page execute and read and write

DB0000

heap

page read and write

90D1000

trusted library allocation

page read and write

75C2000

heap

page read and write

6557000

heap

page read and write

E8E000

stack

page read and write

7030000

trusted library allocation

page read and write

4D3E000

stack

page read and write

6BEE000

stack

page read and write

6F90000

trusted library allocation

page read and write

There are 305 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
CCdaw0qbbo.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportCCdaw0qbbo.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
CCdaw0qbbo.exe