Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1417092
MD5:9aa0e1cb84eaa0bf8e0c69154b797261
SHA1:fec3447e88cc504eb088a2c7e3f7a493e339aa1e
SHA256:b72dd501577e9c1a22f9f5cee67e253353c1e1691fd981db7ee188f8c03d8c54
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5508 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9AA0E1CB84EAA0BF8E0C69154B797261)
    • conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.0:29587", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 5508JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.4335570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.file.exe.4335570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:03/28/24-15:51:09.267483
                      SID:2043231
                      Source Port:49706
                      Destination Port:29587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/28/24-15:50:57.130916
                      SID:2046045
                      Source Port:49706
                      Destination Port:29587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/28/24-15:51:02.565364
                      SID:2046056
                      Source Port:29587
                      Destination Port:49706
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/28/24-15:50:57.318474
                      SID:2043234
                      Source Port:29587
                      Destination Port:49706
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.0:29587", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.pdbd source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: c:\dlj151gyhd8m\obj\Release\Friendly.pdb source: file.exe
                      Source: Binary string: Friendly.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: \??\C:\Users\user\Desktop\Friendly.pdb source: file.exe, 00000000.00000002.2111271353.0000000001612000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07AC395Fh2_2_07AC3200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07ACB560h2_2_07ACB068
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07AC915Bh2_2_07AC8E98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07AC7D0Ah2_2_07AC7A4A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07AC6D99h2_2_07AC6D81
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 07AC0D0Eh2_2_07AC0CED

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49706 -> 5.42.65.0:29587
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.5:49706 -> 5.42.65.0:29587
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.0:29587 -> 192.168.2.5:49706
                      Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.0:29587 -> 192.168.2.5:49706
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 5.42.65.0:29587
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 5.42.65.0 ports 2,5,29587,7,8,9
                      Source: global trafficTCP traffic: 192.168.2.5:49706 -> 5.42.65.0:29587
                      Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                      Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: file.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                      Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: file.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: file.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: file.exeString found in binary or memory: http://ocsp.digicert.com0
                      Source: file.exeString found in binary or memory: http://ocsp.digicert.com0A
                      Source: file.exeString found in binary or memory: http://ocsp.digicert.com0C
                      Source: file.exeString found in binary or memory: http://ocsp.digicert.com0X
                      Source: RegAsm.exe, 00000002.00000002.2126528810.000000000189E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003624000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003706000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003676000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000036F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                      Source: file.exeString found in binary or memory: http://www.digicert.com/CPS0
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: file.exe, RemoteObjects.csLarge array initialization: RemoteObjects: array initializer size 308224
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01570EEF0_2_01570EEF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0133DC742_2_0133DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC87282_2_07AC8728
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC56F02_2_07AC56F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC64982_2_07AC6498
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC73502_2_07AC7350
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC32002_2_07AC3200
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ACB0682_2_07ACB068
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC00402_2_07AC0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ACCFE82_2_07ACCFE8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC1EF82_2_07AC1EF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC0D902_2_07AC0D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC5D302_2_07AC5D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07ACDD482_2_07ACDD48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC7A4A2_2_07AC7A4A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC19902_2_07AC1990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC98C82_2_07AC98C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC28282_2_07AC2828
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC56E02_2_07AC56E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC00062_2_07AC0006
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC3E8E2_2_07AC3E8E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC1EE82_2_07AC1EE8
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 912
                      Source: file.exeStatic PE information: invalid certificate
                      Source: file.exe, 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRanter.exe8 vs file.exe
                      Source: file.exe, 00000000.00000000.1974127747.0000000000EB2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
                      Source: file.exe, 00000000.00000002.2111660374.0000000003333000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
                      Source: file.exe, 00000000.00000002.2111271353.00000000015DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameFriendly.exe4 vs file.exe
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/6@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8f9b8bcb-314b-4f8a-b99b-0cadccdbb7ddJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003894000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.000000000387E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 912
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.pdbd source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: c:\dlj151gyhd8m\obj\Release\Friendly.pdb source: file.exe
                      Source: Binary string: Friendly.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: \??\C:\Users\user\Desktop\Friendly.pdb source: file.exe, 00000000.00000002.2111271353.0000000001612000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WERBD25.tmp.dmp.6.dr
                      Source: Binary string: System.Core.ni.pdb source: WERBD25.tmp.dmp.6.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC173F push es; iretd 2_2_07AC174C
                      Source: file.exeStatic PE information: section name: .text entropy: 7.9870176525205485
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 3330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 18D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2FB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1781Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2665Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7328Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: Amcache.hve.6.drBinary or memory string: VMware
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.0000000003326000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655LRcqDa2
                      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: RegAsm.exe, 00000002.00000002.2126137812.000000000142D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: RegAsm.exe, 00000002.00000002.2148667041.00000000042D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000002.00000002.2126833049.00000000035AF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_07AC98C8 LdrInitializeThunk,2_2_07AC98C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: file.exe, Angelo.csReference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
                      Source: file.exe, Angelo.csReference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "FreeConsole")
                      Source: file.exe, Angelo.csReference to suspicious API methods: Program.GetProcAddress(Program.LoadLibraryA(text.ToLower()), "VirtualProtectEx")
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_03332115 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_03332115
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: FB7008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: RegAsm.exe, 00000002.00000002.2153831216.0000000006232000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4335570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4335570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3716, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3716, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4335570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.4335570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 5508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3716, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		241
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                      Virtualization/Sandbox Evasion                      		Security Account Manager251
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://purl.oen0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      5.42.65.0:295870%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id91%VirustotalBrowse
                      http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      5.42.65.0:295872%VirustotalBrowse
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://tempuri.org/1%VirustotalBrowse
                      http://tempuri.org/Entity/Id41%VirustotalBrowse
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id81%VirustotalBrowse
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id71%VirustotalBrowse
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id51%VirustotalBrowse
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id61%VirustotalBrowse
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id211%VirustotalBrowse
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id221%VirustotalBrowse
                      http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id231%VirustotalBrowse
                      http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id241%VirustotalBrowse
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id201%VirustotalBrowse
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id131%VirustotalBrowse
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id121%VirustotalBrowse
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id111%VirustotalBrowse
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id151%VirustotalBrowse
                      http://tempuri.org/Entity/Id101%VirustotalBrowse
                      http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id141%VirustotalBrowse
                      http://tempuri.org/Entity/Id181%VirustotalBrowse
                      http://tempuri.org/Entity/Id171%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      5.42.65.0:29587true
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 2%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 1%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003706000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.2126833049.0000000003676000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://purl.oenRegAsm.exe, 00000002.00000002.2126528810.000000000189E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 2%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 1%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • 2%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • 2%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ip.sb/ipfile.exe, 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • 1%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • 2%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 1%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2148667041.000000000440C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 2%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • 1%, Virustotal, Browse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • 2%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • 1%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003264000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003624000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2126833049.0000000003718000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000002.00000002.2126833049.0000000003171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            5.42.65.0
                                                                                                                            		unknownRussian Federation
                                                                                                                            		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                            Analysis ID:1417092
                                                                                                                            Start date and time:2024-03-28 15:50:08 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 5m 7s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:10
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:file.exe
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@5/6@0/1
                                                                                                                            EGA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 28
                                                                                                                            • Number of non-executed functions: 2
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                                                                                                            • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            15:51:06API Interceptor23x Sleep call for process: RegAsm.exe modified
                                                                                                                            15:51:07API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            5.42.65.0i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                              file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse

                                                                                                                                Domains

                                                                                                                                No context

                                                                                                                                ASNs

                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUi1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                • 5.42.65.117
                                                                                                                                file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                • 5.42.65.117
                                                                                                                                file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                • 5.42.65.0
                                                                                                                                2ZQkFRoMrY.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, SmokeLoader, XWorm, zgRATBrowse
                                                                                                                                • 5.42.65.67
                                                                                                                                file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                • 5.42.65.68
                                                                                                                                PqD61y42SJ.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                • 5.42.65.31
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                • 5.42.65.68
                                                                                                                                Vjt694rffx.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                • 5.42.65.67
                                                                                                                                R7piqpsoTx.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                • 5.42.65.117
                                                                                                                                MJ2Ltjq5mk.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                • 5.42.65.117

                                                                                                                                JA3 Fingerprints

                                                                                                                                No context

                                                                                                                                Dropped Files

                                                                                                                                No context

                                                                                                                                Created / dropped Files

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_fcebb8fa1e3e86ecf7bee44cc44e164f10156627_fa3d53f0_cb85372f-41bd-4c7e-b8a0-651d30f057d0\Report.wer

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):65536
                                                                                                                                Entropy (8bit):0.9088644997905029
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:XPTBYIv4P4G7lc0BU/7ExaGszuiF8Z24IO8IBLn:NH4n5XBU/qadzuiF8Y4IO88
                                                                                                                                MD5:96A9E3BC4E6AD391FE9E275508CF452B
                                                                                                                                SHA1:A97AA6DFB693CB241A0B6233304C53C131079A1F
                                                                                                                                SHA-256:E25CC58724AD2FB242F66CAD6E1DB91F21C68D3FBC7259D909EB05C65FCA5D38
                                                                                                                                SHA-512:80B3C93E183B9F68C993327F73172537FE803B55717E8346435E34E89468BEE6F4C1569CE8796A596A758E719E4A9E6858862434FDF3895F650109D4A8EE52B0
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.1.0.5.4.9.9.3.2.1.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.1.0.5.5.8.8.3.8.4.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.8.5.3.7.2.f.-.4.1.b.d.-.4.c.7.e.-.b.8.a.0.-.6.5.1.d.3.0.f.0.5.7.d.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.d.c.3.6.a.8.e.-.6.5.9.5.-.4.d.f.c.-.a.f.f.9.-.a.3.c.5.9.3.5.7.f.1.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.r.i.e.n.d.l.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.4.-.0.0.0.1.-.0.0.1.4.-.2.d.7.7.-.9.6.5.5.1.f.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.6.a.2.e.d.b.6.b.b.5.1.0.7.3.7.a.9.b.2.c.c.e.f.6.c.d.6.d.4.4.2.0.0.0.0.0.0.0.0.!.0.0.0.0.f.e.c.3.4.4.7.e.8.8.c.c.5.0.4.e.b.0.8.8.a.2.c.7.e.3.f.7.a.4.9.3.e.3.3.9.a.a.1.e.!.

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBD25.tmp.dmp

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:Mini DuMP crash report, 15 streams, Thu Mar 28 14:50:55 2024, 0x1205a4 type
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):173652
                                                                                                                                Entropy (8bit):3.948470965036866
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:1536:a4m6QG2CYVuBojROpN4uE2aOjcSVXMLTgnAFZIXABIk9hjCDctTwt7a:afWvYjY4uEqIycLTgAFZb/UmE
                                                                                                                                MD5:F88DDD50F9F1BA02C01A9D17DE690D5A
                                                                                                                                SHA1:3D989848D2E5764E1E837F85FBF4225AE4476855
                                                                                                                                SHA-256:E25CD79DAF5EFE92B8203C7843B325E2140A16F24FABF5F9C97091397672C484
                                                                                                                                SHA-512:EE0756746D8F7D31258B75B305C51310A830614E7C0D8276CE875247BAA50DC5804BEFE5F9E14BB093E3F88235047027485AF054EC91C8750B1E4674DD14FFF4
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:MDMP..a..... .........f....................................$...............$9..........`.......8...........T...........P$..........................................................................................................eJ......L.......GenuineIntel............T.............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBECB.tmp.WERInternalMetadata.xml

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):8310
                                                                                                                                Entropy (8bit):3.696462945225956
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:192:R6l7wVeJ4CY6FU6YEI9SUkfgmfBt34Jwpr089bXYsf3dm:R6lXJg626YECSUkfgmfb4JUXLfQ
                                                                                                                                MD5:37EBE4DC8CE6F3560C6735227F3D78E3
                                                                                                                                SHA1:ABFDF8BA21B6241CC44E08E38A7FEA13583DD77F
                                                                                                                                SHA-256:BAC7E42D93EAEDEAE4D0F8FF563949B983AAA03443901F40F3AEAD34EA0598B7
                                                                                                                                SHA-512:39FE0E387F3DA33AA66A5E77F10C4D44A47D823D55E32E8AB2CF60DE937C1C3F0507C7295D468872A7EBE66E4B8AFD85FE0E15F8C9C55FEECA0F957A57CB78E4
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.8.<./.P.i.

                                                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF1B.tmp.xml

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):4628
                                                                                                                                Entropy (8bit):4.455402863669941
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:48:cvIwWl8zsiJg77aI9/kWpW8VYv6Ym8M4JTAFA+q85OmwZGd:uIjfwI7N97VWzJ1nmw0d
                                                                                                                                MD5:1F7295765846707E6750451FEDECB2A0
                                                                                                                                SHA1:F87289B3A2EC4610E6BA41878423C88772D4F6D6
                                                                                                                                SHA-256:21F9C95A41688306A136A7D034EE3BEDAE34491B6C2FC3EDFF76535E79534A65
                                                                                                                                SHA-512:F95F4C5A8A072E99077F81AE8EB9EBAC10D7166A46A26F2C0832B7A1E5BCB546E31AFFDC265C3F7CA91E744FFDA307BFEF638900CEDEF151368177D9CA5B8908
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="255233" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):3094
                                                                                                                                Entropy (8bit):5.33145931749415
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                Malicious:false
                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                Download File
                                                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                Category:dropped
                                                                                                                                Size (bytes):1835008
                                                                                                                                Entropy (8bit):4.4216089222887405
                                                                                                                                Encrypted:false
                                                                                                                                SSDEEP:6144:fSvfpi6ceLP/9skLmb0OTbWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:qvloTbW+EZMM6DFy403w
                                                                                                                                MD5:32C76A30DC6E11F96CECB7116905FCCE
                                                                                                                                SHA1:F57AC94E48834768D4976A99E04F565E9A9A7F76
                                                                                                                                SHA-256:A202C9971E2D560821C8DD0D76B2ECE62E9D5878B294AA6932D9569B0E0F49A4
                                                                                                                                SHA-512:4F018EBD121C58C206FC5F2542BC7C90943B8D3283CB02610C446578230F3E343A5B8A989950B033703FA1631B4688F0D6438B340996AD4D8A518EE267888BF2
                                                                                                                                Malicious:false
                                                                                                                                Reputation:low
                                                                                                                                Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...V................................................................................................................................................................................................................................................................................................................................................/..b........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                Static File Info

                                                                                                                                General

                                                                                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                Entropy (8bit):7.973783847711679
                                                                                                                                TrID:
                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                File name:file.exe
                                                                                                                                File size:344'200 bytes
                                                                                                                                MD5:9aa0e1cb84eaa0bf8e0c69154b797261
                                                                                                                                SHA1:fec3447e88cc504eb088a2c7e3f7a493e339aa1e
                                                                                                                                SHA256:b72dd501577e9c1a22f9f5cee67e253353c1e1691fd981db7ee188f8c03d8c54
                                                                                                                                SHA512:4856fa4b27b22f539a4e8f2d68460954a265578e3c5eeb7836e35bda8488091d52114349d9a131fec5fd04e5c4ad7a420a5b1ac58253467ce7eeb36220098019
                                                                                                                                SSDEEP:6144:ycPfB2bf33rP/bWR/3gM/wniJGlXQukamPRiUx8pT76T7Qn48n:DZ2bvbP/b43R43lZkvRijg7Qnp
                                                                                                                                TLSH:2F7422959A789A41CDE3DB30E3F0971B6D364FD265C0A19E34D8A2203F9F3D7CA12859
                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.f................................. ... ....@.. .......................`............`................................

                                                                                                                                File Icon

                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                Static PE Info

                                                                                                                                General

                                                                                                                                Entrypoint:0x45060e
                                                                                                                                Entrypoint Section:.text
                                                                                                                                Digitally signed:true
                                                                                                                                Imagebase:0x400000
                                                                                                                                Subsystem:windows cui
                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                Time Stamp:0x660546C6 [Thu Mar 28 10:30:30 2024 UTC]
                                                                                                                                TLS Callbacks:
                                                                                                                                CLR (.Net) Version:
                                                                                                                                OS Version Major:4
                                                                                                                                OS Version Minor:0
                                                                                                                                File Version Major:4
                                                                                                                                File Version Minor:0
                                                                                                                                Subsystem Version Major:4
                                                                                                                                Subsystem Version Minor:0
                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                Authenticode Signature

                                                                                                                                Signature Valid:false
                                                                                                                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                Error Number:-2146869232
                                                                                                                                Not Before, Not After
                                                                                                                                • 18/10/2022 02:00:00 16/10/2025 01:59:59
                                                                                                                                Subject Chain
                                                                                                                                • CN=NVIDIA Corporation, OU=1-F, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
                                                                                                                                Version:3
                                                                                                                                Thumbprint MD5:ADDD0E5C2C1FCB87E286ABF0F7292AF3
                                                                                                                                Thumbprint SHA-1:01DF5BFEFA251B27AC1933E4E4CB61F21C44D57B
                                                                                                                                Thumbprint SHA-256:CCDDF490761FD36F95BB22F6593DE9E2AC4BB190A617F1090DC9224E2713888D
                                                                                                                                Serial:0D0194CD1E3142205135D1C636E4E9BA

                                                                                                                                Entrypoint Preview

                                                                                                                                Instruction
                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al
                                                                                                                                add byte ptr [eax], al

                                                                                                                                Data Directories

                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x505b40x57.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x520000x548.rsrc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x4f2000x4e88
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x540000xc.reloc
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x5047c0x1c.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                Sections

                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                .text0x20000x4e6140x4e800ddb2f3bdd6c3e68150cf67787b48fbd8False0.9836472432324841SysEx File - Passport7.9870176525205485IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                .rsrc0x520000x5480x60027c00bea32094ea75bc3655d6224fb83False0.4055989583333333data3.939853495965665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                .reloc0x540000xc0x2001a9bca6175c6b9e27164a5754cb3f2dfFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                Resources

                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                RT_VERSION0x520a00x2b4data0.4595375722543353
                                                                                                                                RT_MANIFEST0x523580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                Imports

                                                                                                                                DLLImport
                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                Network Behavior

                                                                                                                                Snort IDS Alerts

                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                03/28/24-15:51:09.267483TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4970629587192.168.2.55.42.65.0
                                                                                                                                03/28/24-15:50:57.130916TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4970629587192.168.2.55.42.65.0
                                                                                                                                03/28/24-15:51:02.565364TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)29587497065.42.65.0192.168.2.5
                                                                                                                                03/28/24-15:50:57.318474TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response29587497065.42.65.0192.168.2.5

                                                                                                                                Network Port Distribution

                                                                                                                                TCP Packets

                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                Mar 28, 2024 15:50:56.712296009 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:50:56.898744106 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:50:56.898850918 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:50:56.910427094 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:50:57.096714020 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:50:57.130916119 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:50:57.318474054 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:50:57.368944883 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:02.372275114 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:02.565363884 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.565390110 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.565402031 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.565414906 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.565428019 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.565478086 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:02.618881941 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:02.705622911 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:02.891911030 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:02.947006941 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.024189949 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.209925890 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.210056067 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.400249004 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.400367022 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.400656939 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.400742054 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.401650906 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.401669979 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.401741982 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.401746988 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.401762962 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.401798010 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.402869940 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.402929068 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.592191935 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.592375040 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.592593908 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.592607021 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.592705011 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.594536066 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.594619989 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.594674110 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.594686031 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.594767094 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.778027058 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.778148890 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.778162956 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.778228045 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.778548002 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.778620005 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.778728962 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.778740883 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.780702114 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.780940056 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.781184912 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.781239986 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.781608105 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.781677961 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.782723904 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.783365965 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.963571072 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.964359045 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.964530945 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.964682102 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.964744091 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.966895103 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.966914892 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.967715025 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.967736006 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.968044043 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.969013929 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:03.969387054 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:03.969441891 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.150347948 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.150809050 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.150866985 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.151082039 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.151443958 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.151556969 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.151849031 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.152657032 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.152719975 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.152779102 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.153611898 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.155787945 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.155807972 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.155839920 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.155998945 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156115055 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.156187057 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.156317949 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156389952 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156570911 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156632900 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156754971 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.156878948 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.157198906 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.157649994 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.157845020 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.157902002 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.342123985 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.342463017 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.342875004 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.343274117 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.343373060 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.343851089 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.344283104 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.344295025 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.344537020 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.344826937 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.345655918 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.345798016 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.345927000 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.346048117 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.346091032 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.346159935 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.347424030 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.347438097 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.347729921 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.347750902 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.348191023 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.348277092 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.348534107 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.348572969 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.348798037 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.349325895 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.349740982 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.349970102 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.350022078 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.532994986 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.533030987 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.534450054 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.534488916 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.534527063 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.534568071 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.534727097 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.537550926 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.537786007 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.537861109 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.538068056 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.539516926 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.540060997 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.542939901 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.542984009 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.545281887 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.725615025 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.725780010 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.727080107 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.748208046 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.752424002 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.760420084 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:04.957638025 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.961180925 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:04.974894047 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:05.162659883 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:05.212629080 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:05.268397093 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:05.455382109 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:05.457551003 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:05.647674084 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:05.654898882 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:05.843621016 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:05.845110893 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:06.035685062 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:06.087610960 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:06.185575962 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:06.374320030 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:06.386641026 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:06.572665930 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:06.582299948 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:06.776597023 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:06.822036028 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:07.487648964 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:07.681160927 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:07.724337101 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:07.776283979 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:07.962367058 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:07.962724924 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:07.963526964 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:07.981431961 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:07.987875938 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.175597906 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:08.228240013 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.240744114 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.426970959 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:08.478260994 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.491075993 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.677705050 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:08.693809986 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:08.881422997 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:08.885597944 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:09.075685024 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:09.076263905 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:09.263768911 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:09.267482996 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:09.456958055 CET29587497065.42.65.0192.168.2.5
                                                                                                                                Mar 28, 2024 15:51:09.509772062 CET4970629587192.168.2.55.42.65.0
                                                                                                                                Mar 28, 2024 15:51:09.553359032 CET4970629587192.168.2.55.42.65.0

                                                                                                                                Statistics

                                                                                                                                CPU Usage

                                                                                                                                Click to jump to process

                                                                                                                                Memory Usage

                                                                                                                                Click to jump to process

                                                                                                                                High Level Behavior Distribution

                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                Behavior

                                                                                                                                Click to jump to process

                                                                                                                                System Behavior

                                                                                                                                General

                                                                                                                                Target ID:0
                                                                                                                                Start time:15:50:54
                                                                                                                                Start date:28/03/2024
                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                Imagebase:0xe60000
                                                                                                                                File size:344'200 bytes
                                                                                                                                MD5 hash:9AA0E1CB84EAA0BF8E0C69154B797261
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2112372634.0000000004335000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:low
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:1
                                                                                                                                Start time:15:50:54
                                                                                                                                Start date:28/03/2024
                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                Wow64 process (32bit):false
                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                File size:862'208 bytes
                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:2
                                                                                                                                Start time:15:50:54
                                                                                                                                Start date:28/03/2024
                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                Imagebase:0xde0000
                                                                                                                                File size:65'440 bytes
                                                                                                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Yara matches:
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2121698852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2126833049.0000000003204000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                General

                                                                                                                                Target ID:6
                                                                                                                                Start time:15:50:54
                                                                                                                                Start date:28/03/2024
                                                                                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                Wow64 process (32bit):true
                                                                                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 912
                                                                                                                                Imagebase:0x810000
                                                                                                                                File size:483'680 bytes
                                                                                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                Has elevated privileges:true
                                                                                                                                Has administrator privileges:true
                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                Reputation:high
                                                                                                                                Has exited:true

                                                                                                                                Disassembly

                                                                                                                                Reset < >

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:37.7%
                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                  Signature Coverage:22.6%
                                                                                                                                  Total number of Nodes:53
                                                                                                                                  Total number of Limit Nodes:3
                                                                                                                                  execution_graph 663 3332115 666 333214d CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 663->666 665 333232a WriteProcessMemory 667 333236f 665->667 666->665 668 33323b1 WriteProcessMemory Wow64SetThreadContext ResumeThread 667->668 669 3332374 WriteProcessMemory 667->669 669->667 670 1570970 671 157099a 670->671 684 1570eef 671->684 672 15709eb 673 1570b34 672->673 678 1570eef VirtualProtectEx 672->678 690 1571446 672->690 695 1571578 672->695 674 1570a70 674->673 699 1571710 674->699 703 1571708 674->703 675 1570b26 707 1571658 675->707 711 1571651 675->711 678->674 685 15710ef 684->685 688 1570f2a 684->688 685->672 686 15715d6 VirtualProtectEx 687 1571607 686->687 687->672 688->685 688->686 689 1571558 688->689 689->672 692 15713eb 690->692 691 15715d6 VirtualProtectEx 694 1571607 691->694 692->691 693 1571558 692->693 693->674 694->674 696 15715c3 VirtualProtectEx 695->696 698 1571607 696->698 698->674 700 157175b CreateThread 699->700 702 15717bb 700->702 702->675 704 157175b CreateThread 703->704 706 15717bb 704->706 706->675 708 1571698 CreateThread 707->708 710 15716cc 708->710 710->673 712 1571658 CreateThread 711->712 714 15716cc 712->714 714->673 715 1570960 716 157099a 715->716 721 1570eef VirtualProtectEx 716->721 717 15709eb 718 1570b34 717->718 722 1571446 VirtualProtectEx 717->722 723 1570eef VirtualProtectEx 717->723 724 1571578 VirtualProtectEx 717->724 719 1570a70 719->718 725 1571710 CreateThread 719->725 726 1571708 CreateThread 719->726 720 1570b26 727 1571651 CreateThread 720->727 728 1571658 CreateThread 720->728 721->717 722->719 723->719 724->719 725->720 726->720 727->718 728->718

                                                                                                                                  Callgraph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  • Opacity -> Relevance
                                                                                                                                  • Disassembly available
                                                                                                                                  callgraph 0 Function_01570255 1 Function_01570455 2 Function_01570B54 29 Function_01570178 2->29 3 Function_01570154 4 Function_01570451 5 Function_01571651 6 Function_01570350 7 Function_01570E50 8 Function_0157045D 9 Function_0157055D 10 Function_01570459 11 Function_01570559 12 Function_01571658 13 Function_01570E58 14 Function_01571446 15 Function_01570444 16 Function_01570344 17 Function_01570244 18 Function_0157004D 19 Function_01571848 20 Function_01570148 21 Function_01570477 22 Function_01570375 23 Function_01570274 24 Function_03331D17 25 Function_03332115 26 Function_01570870 27 Function_01570070 28 Function_01570970 28->5 28->7 28->12 28->13 28->14 30 Function_01571578 28->30 39 Function_01571710 28->39 55 Function_01571708 28->55 91 Function_01570EEF 28->91 99 Function_01570590 28->99 104 Function_01570584 28->104 31 Function_01570461 32 Function_01570561 33 Function_01570861 34 Function_01570960 34->5 34->7 34->12 34->13 34->14 34->30 34->39 34->55 34->91 34->99 34->104 35 Function_01570160 36 Function_01570060 37 Function_0157016C 38 Function_01570268 40 Function_01570310 41 Function_0157011C 42 Function_0157031C 43 Function_01570218 44 Function_01570418 45 Function_01571818 46 Function_01570304 47 Function_01570E04 47->29 48 Function_01570501 49 Function_01570100 50 Function_01570400 51 Function_01571800 52 Function_0157010C 53 Function_0157040C 54 Function_0157180C 56 Function_01570334 57 Function_01570434 58 Function_01571830 59 Function_0157013C 60 Function_0157183C 61 Function_01570238 62 Function_01571824 63 Function_0157012C 64 Function_01570228 65 Function_01570328 66 Function_01570428 67 Function_015700D4 68 Function_015702D4 69 Function_015708D0 70 Function_015701D0 71 Function_015701DC 72 Function_01570CDC 72->29 73 Function_015703D8 74 Function_015704C5 75 Function_015704C1 76 Function_015703C0 77 Function_015708C0 78 Function_015703CC 79 Function_015704C9 80 Function_015700C8 81 Function_015702C8 82 Function_015701F4 83 Function_015703F4 84 Function_015700F0 85 Function_01570DFE 86 Function_015704FD 87 Function_015704F9 88 Function_015702F8 89 Function_015700E4 90 Function_015702E0 92 Function_015702EC 93 Function_015717EC 94 Function_015701E8 95 Function_015703E8 96 Function_01570495 97 Function_01570C94 97->29 98 Function_01570491 99->29 100 Function_01570090 101 Function_0157039C 102 Function_01570499 103 Function_01570298 104->29 105 Function_01570080 106 Function_01570280 107 Function_01570C8E 108 Function_0157018D 109 Function_0157028C 110 Function_0157038C 111 Function_015703B4 112 Function_015700B0 113 Function_015702B0 114 Function_015701BD 115 Function_015700BC 116 Function_015702BC 117 Function_015702A4 118 Function_015700A0 119 Function_015703A8

                                                                                                                                  Executed Functions

                                                                                                                                  Function 03332115 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  APIs
                                                                                                                                  • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 03332284
                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 03332297
                                                                                                                                  • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 033322B5
                                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033322D9
                                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 03332304
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 0333235C
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 033323A7
                                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 033323E5
                                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,?), ref: 03332421
                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 03332430
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111639671.0000000003331000.00000040.00000800.00020000.00000000.sdmp, Offset: 03331000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_3331000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                  • String ID: GetP$Load$aryA$ress
                                                                                                                                  • API String ID: 2687962208-977067982
                                                                                                                                  • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                  • Instruction ID: 94e1a8651e08bcc900f3bd7fecc24844230920066d8eeb0cd7f866cb9dea9ce1
                                                                                                                                  • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                  • Instruction Fuzzy Hash: 83B1E67664024AAFDB60CF68CC80BDA77A9FF88714F158564EA0CEB341D774FA418B94
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01570EEF Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 566COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 23 1570eef-1570f24 24 15710ef-15710f6 23->24 25 1570f2a-1570f2f 23->25 26 1570f56-1570f5b 25->26 27 1570f31-1570f3d 25->27 31 1570f62-1570f67 26->31 27->26 28 1570f3f-1570f4b 27->28 28->26 29 1570f4d-1570f54 28->29 29->31 32 15710f7-1571148 31->32 33 1570f6d-1570f79 31->33 41 157114a-157115a 32->41 33->32 34 1570f7f-1570f8b 33->34 34->32 36 1570f91-1570fbe 34->36 42 1570fc5-1570fdb 36->42 45 157115c-1571172 41->45 42->32 46 1570fe1-1571027 42->46 51 1571175-15711de 45->51 46->32 56 157102d-1571073 46->56 73 1571222-157122c 51->73 74 15711e0-15711e4 51->74 56->32 65 1571079-1571088 56->65 65->32 67 157108a-1571096 65->67 67->32 68 1571098-15710a4 67->68 68->32 70 15710a6-15710b2 68->70 70->32 72 15710b4-15710c0 70->72 72->32 75 15710c2-15710ce 72->75 73->51 78 1571232-15712c2 73->78 76 15711e6-15711eb 74->76 77 15711f3-1571206 74->77 75->32 79 15710d0-15710dc 75->79 76->77 83 1571562-1571605 VirtualProtectEx 77->83 84 157120c-157121b 77->84 104 15712c4-15712c9 78->104 105 15712d1-15712d7 78->105 79->32 80 15710de-15710e9 79->80 80->24 80->25 91 1571607-157160d 83->91 92 157160e-157163e 83->92 84->73 91->92 104->105 105->83 106 15712dd-15712f6 105->106 106->83 108 15712fc-157131d 106->108 108->51 110 1571323-157132b 108->110 111 157132e-1571335 110->111 112 1571337-157133e 111->112 113 1571380-1571389 111->113 112->113 115 1571340-157134c 112->115 113->83 114 157138f-157139d 113->114 114->83 117 15713a3-15713b1 114->117 115->83 116 1571352-157135f 115->116 116->83 118 1571365-1571374 116->118 117->83 119 15713b7-15713c4 117->119 120 1571376-157137c 118->120 121 157137d 118->121 119->83 122 15713ca-15713da 119->122 120->121 121->113 122->111 123 15713e0-15713e8 122->123 124 15713eb-15713f7 123->124 125 15713fd-1571406 124->125 126 157154b-1571552 124->126 128 157140f-157141e 125->128 129 1571408-157140e 125->129 126->124 127 1571558-157155f 126->127 128->83 130 1571424-1571430 128->130 129->128 131 1571432-1571438 130->131 132 1571439-1571454 130->132 131->132 132->83 134 157145a-1571468 132->134 134->83 135 157146e-1571479 134->135 136 1571511-1571528 135->136 137 157147f-1571486 135->137 141 157152a-1571537 136->141 142 1571539-1571545 136->142 137->136 138 157148c-1571495 137->138 138->83 140 157149b-15714ab 138->140 140->83 143 15714b1-15714c9 140->143 141->141 141->142 142->125 142->126 144 15714d3-15714dc 143->144 145 15714cb-15714d2 143->145 144->83 146 15714e2-15714fb 144->146 145->144 148 15714fd-15714ff 146->148 149 1571509-157150f 146->149 148->149 149->136
                                                                                                                                  APIs
                                                                                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 015715F8
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                  • String ID: d
                                                                                                                                  • API String ID: 544645111-2564639436
                                                                                                                                  • Opcode ID: 8ac43bd40554237198282632bae30a5e58bff11e5b80c7951d907e88ca2fd583
                                                                                                                                  • Instruction ID: 1f59f2655f4255ace0491b6d7d267fc001c2cc35149055b2dc73289fe71ab7b2
                                                                                                                                  • Opcode Fuzzy Hash: 8ac43bd40554237198282632bae30a5e58bff11e5b80c7951d907e88ca2fd583
                                                                                                                                  • Instruction Fuzzy Hash: 4B32D130A006558FCB06CFA9D480AADFBF2FF89310F59C559D459AB296C734EC82CB95
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01571708 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 150 1571708-1571767 152 1571777-15717b9 CreateThread 150->152 153 1571769-1571775 150->153 155 15717c2-15717e7 152->155 156 15717bb-15717c1 152->156 153->152 156->155
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 015717AC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                  • Opcode ID: 55e96eec95e39026757d46fe770834cadeb6818e45b3f1204a30fa3c27700206
                                                                                                                                  • Instruction ID: df95d39baf1229cdbad4b2ff5563f92266fc8329c3448870474ed84741e8091f
                                                                                                                                  • Opcode Fuzzy Hash: 55e96eec95e39026757d46fe770834cadeb6818e45b3f1204a30fa3c27700206
                                                                                                                                  • Instruction Fuzzy Hash: 7731F2B5D002499FCB10CFA9D885ADEFFF5FB88310F20842AE919A7210C775A955CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01571710 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 160 1571710-1571767 162 1571777-15717b9 CreateThread 160->162 163 1571769-1571775 160->163 165 15717c2-15717e7 162->165 166 15717bb-15717c1 162->166 163->162 166->165
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 015717AC
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                  • Opcode ID: 228f3f6cc764f01da2898c7940995376e8c94fc163d4cf971705417b61ce5b1b
                                                                                                                                  • Instruction ID: ef339ec5d4c84f0c36757eea5383c17b40fd98e9a1ee71cedc3e44f0a895c863
                                                                                                                                  • Opcode Fuzzy Hash: 228f3f6cc764f01da2898c7940995376e8c94fc163d4cf971705417b61ce5b1b
                                                                                                                                  • Instruction Fuzzy Hash: 6B2123B5D003099FCB10CFA9D885ADEFFF5FB88310F208429E919A7200C775A954CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01571578 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 170 1571578-1571605 VirtualProtectEx 173 1571607-157160d 170->173 174 157160e-157163e 170->174 173->174
                                                                                                                                  APIs
                                                                                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 015715F8
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                  • Opcode ID: 52540d87658f42718530a9a1fdf9877b118dc7794bf298e29a914d17ce4bf7da
                                                                                                                                  • Instruction ID: d50bc3962e16250c274b97802684f4863a627ebf9ff301116ea1f5de976905ee
                                                                                                                                  • Opcode Fuzzy Hash: 52540d87658f42718530a9a1fdf9877b118dc7794bf298e29a914d17ce4bf7da
                                                                                                                                  • Instruction Fuzzy Hash: 182139B1D002499FDB10DFAAD885AEEFFF5FF88310F508429E519A7240C7749945DBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01571651 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 178 1571651-15716ca CreateThread 182 15716d3-15716f8 178->182 183 15716cc-15716d2 178->183 183->182
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNELBASE(?,?), ref: 015716BD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                  • Opcode ID: faf5dabe4d90dba832ece4920de299283b57ccac4c30abfa17e562a460a51ba5
                                                                                                                                  • Instruction ID: 81992f35a5d8c837fd133af723ca3329fa83ad6da29c17fc0e364b13842d6a3c
                                                                                                                                  • Opcode Fuzzy Hash: faf5dabe4d90dba832ece4920de299283b57ccac4c30abfa17e562a460a51ba5
                                                                                                                                  • Instruction Fuzzy Hash: 2E1164B1D002498BDB20DFAAC4457EFFFF5AB88324F24841AD459A7240CB75A545CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01571658 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 187 1571658-15716ca CreateThread 190 15716d3-15716f8 187->190 191 15716cc-15716d2 187->191 191->190
                                                                                                                                  APIs
                                                                                                                                  • CreateThread.KERNELBASE(?,?), ref: 015716BD
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000000.00000002.2111210198.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_0_2_1570000_file.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: CreateThread
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2422867632-0
                                                                                                                                  • Opcode ID: a477ddf9838678820c33f1ce575785a97eff26870259dcc9c3ff410c70ba9932
                                                                                                                                  • Instruction ID: f728dfe9cabd29d455299d9f216a65f8ba641247d6142eb231dddeaa464c612a
                                                                                                                                  • Opcode Fuzzy Hash: a477ddf9838678820c33f1ce575785a97eff26870259dcc9c3ff410c70ba9932
                                                                                                                                  • Instruction Fuzzy Hash: E81146B1D002098FCB20DFAAD4456DFFFF5AB88320F248419D419A7240CB75A545CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Execution Graph

                                                                                                                                  Execution Coverage:17.1%
                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                  Signature Coverage:5.3%
                                                                                                                                  Total number of Nodes:75
                                                                                                                                  Total number of Limit Nodes:13
                                                                                                                                  execution_graph 28505 7ac8c68 28506 7ac8c8f 28505->28506 28507 7ac8d14 28506->28507 28513 7aca623 28506->28513 28517 7acacd7 28506->28517 28521 7acadb6 28506->28521 28525 7aca378 28506->28525 28529 7ac98c8 28506->28529 28514 7ac9a38 28513->28514 28515 7acada0 28514->28515 28516 7aca253 LdrInitializeThunk 28514->28516 28516->28514 28520 7ac9a38 28517->28520 28518 7acada0 28519 7aca253 LdrInitializeThunk 28519->28520 28520->28518 28520->28519 28522 7acada0 28521->28522 28524 7ac9a38 28521->28524 28523 7aca253 LdrInitializeThunk 28523->28524 28524->28522 28524->28523 28527 7ac9a38 28525->28527 28526 7acada0 28527->28526 28528 7aca253 LdrInitializeThunk 28527->28528 28528->28527 28531 7ac9905 28529->28531 28530 7acada0 28531->28530 28532 7aca253 LdrInitializeThunk 28531->28532 28532->28531 28533 133ad38 28537 133ae30 28533->28537 28545 133ae20 28533->28545 28534 133ad47 28538 133ae41 28537->28538 28539 133ae64 28537->28539 28538->28539 28553 133b0c8 28538->28553 28557 133b0b8 28538->28557 28539->28534 28540 133ae5c 28540->28539 28541 133b068 GetModuleHandleW 28540->28541 28542 133b095 28541->28542 28542->28534 28546 133ae41 28545->28546 28547 133ae64 28545->28547 28546->28547 28551 133b0b8 LoadLibraryExW 28546->28551 28552 133b0c8 LoadLibraryExW 28546->28552 28547->28534 28548 133ae5c 28548->28547 28549 133b068 GetModuleHandleW 28548->28549 28550 133b095 28549->28550 28550->28534 28551->28548 28552->28548 28554 133b0dc 28553->28554 28556 133b101 28554->28556 28561 133a870 28554->28561 28556->28540 28558 133b0dc 28557->28558 28559 133a870 LoadLibraryExW 28558->28559 28560 133b101 28558->28560 28559->28560 28560->28540 28562 133b2a8 LoadLibraryExW 28561->28562 28564 133b321 28562->28564 28564->28556 28565 133d0b8 28566 133d0fe 28565->28566 28570 133d289 28566->28570 28573 133d298 28566->28573 28567 133d1eb 28571 133d2c6 28570->28571 28576 133c9a0 28570->28576 28571->28567 28574 133c9a0 DuplicateHandle 28573->28574 28575 133d2c6 28574->28575 28575->28567 28577 133d300 DuplicateHandle 28576->28577 28578 133d396 28577->28578 28578->28571 28579 1334668 28580 1334684 28579->28580 28581 1334696 28580->28581 28583 13347a0 28580->28583 28584 13347c5 28583->28584 28588 13348a1 28584->28588 28592 13348b0 28584->28592 28590 13348d7 28588->28590 28589 13349b4 28589->28589 28590->28589 28596 1334248 28590->28596 28594 13348d7 28592->28594 28593 13349b4 28593->28593 28594->28593 28595 1334248 CreateActCtxA 28594->28595 28595->28593 28597 1335940 CreateActCtxA 28596->28597 28599 1335a03 28597->28599

                                                                                                                                  Executed Functions

                                                                                                                                  Function 07AC98C8 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1099COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 417 7ac98c8-7ac9903 418 7ac990a-7ac99a6 417->418 419 7ac9905 417->419 422 7ac99f8-7ac9a33 418->422 423 7ac99a8-7ac99f2 418->423 419->418 428 7acad81-7acad9a 422->428 423->422 431 7ac9a38-7ac9bc7 call 7ac5d30 428->431 432 7acada0-7acadc6 428->432 451 7acad39-7acad53 431->451 435 7acadc8-7acadd4 432->435 436 7acadd5 432->436 435->436 439 7acadd6 436->439 439->439 453 7ac9bcc-7ac9d10 451->453 454 7acad59-7acad7d 451->454 470 7ac9d12-7ac9d3e 453->470 471 7ac9d43-7ac9d8a 453->471 454->428 474 7ac9dd1-7ac9f88 call 7ac70b0 470->474 477 7ac9d8c-7ac9dad call 7ac6ec0 471->477 478 7ac9daf-7ac9dbe 471->478 501 7ac9fda-7ac9fe5 474->501 502 7ac9f8a-7ac9fd4 474->502 483 7ac9dc4-7ac9dd0 477->483 478->483 483->474 669 7ac9feb call 7acaee0 501->669 670 7ac9feb call 7acaef0 501->670 502->501 504 7ac9ff1-7aca055 509 7aca0a7-7aca0b2 504->509 510 7aca057-7aca0a1 504->510 663 7aca0b8 call 7acaee0 509->663 664 7aca0b8 call 7acaef0 509->664 510->509 512 7aca0be-7aca121 517 7aca173-7aca17e 512->517 518 7aca123-7aca16d 512->518 661 7aca184 call 7acaee0 517->661 662 7aca184 call 7acaef0 517->662 518->517 520 7aca18a-7aca1c3 523 7aca63c-7aca6c3 520->523 524 7aca1c9-7aca22c 520->524 535 7aca6c5-7aca71b 523->535 536 7aca721-7aca72c 523->536 532 7aca22e 524->532 533 7aca233-7aca285 LdrInitializeThunk call 7ac9594 524->533 532->533 544 7aca28a-7aca3b2 call 7ac3200 call 7ac92e8 call 7ac842c call 7ac843c 533->544 535->536 665 7aca732 call 7acaee0 536->665 666 7aca732 call 7acaef0 536->666 538 7aca738-7aca7c5 554 7aca7c7-7aca81d 538->554 555 7aca823-7aca82e 538->555 576 7aca61f-7aca63b 544->576 577 7aca3b8-7aca40a 544->577 554->555 659 7aca834 call 7acaee0 555->659 660 7aca834 call 7acaef0 555->660 557 7aca83a-7aca8b2 569 7aca8b4-7aca90a 557->569 570 7aca910-7aca91b 557->570 569->570 671 7aca921 call 7acaee0 570->671 672 7aca921 call 7acaef0 570->672 573 7aca927-7aca993 588 7aca9e5-7aca9f0 573->588 589 7aca995-7aca9df 573->589 576->523 586 7aca45c-7aca4d7 577->586 587 7aca40c-7aca456 577->587 602 7aca529-7aca5a3 586->602 603 7aca4d9-7aca523 586->603 587->586 667 7aca9f6 call 7acaee0 588->667 668 7aca9f6 call 7acaef0 588->668 589->588 590 7aca9fc-7acaa41 604 7acab77-7acad20 590->604 605 7acaa47-7acab76 590->605 619 7aca5f5-7aca61e 602->619 620 7aca5a5-7aca5ef 602->620 603->602 656 7acad38 604->656 657 7acad22-7acad37 604->657 605->604 619->576 620->619 656->451 657->656 659->557 660->557 661->520 662->520 663->512 664->512 665->538 666->538 667->590 668->590 669->504 670->504 671->573 672->573
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: #)
                                                                                                                                  • API String ID: 0-405437329
                                                                                                                                  • Opcode ID: a10f3da212ca0e535debecb106a0acdcaf16006231b068f54662ab6a703f011b
                                                                                                                                  • Instruction ID: 29938266787d5ff049eab12aa93b0a575842024e61efa634cd5b27456612db35
                                                                                                                                  • Opcode Fuzzy Hash: a10f3da212ca0e535debecb106a0acdcaf16006231b068f54662ab6a703f011b
                                                                                                                                  • Instruction Fuzzy Hash: 6AC281B4A012299FCB64DF28D998BADB7B1FB89301F1085E9D81DA7354DB346E85CF40
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07ACB068 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 695 7acb068-7acb09a 696 7acb09c 695->696 697 7acb0a1-7acb16d 695->697 696->697 702 7acb16f-7acb17d 697->702 703 7acb182 697->703 704 7acb630-7acb63d 702->704 766 7acb188 call 7acbb3c 703->766 767 7acb188 call 7acbaae 703->767 768 7acb188 call 7acb9c6 703->768 769 7acb188 call 7acb917 703->769 770 7acb188 call 7acba80 703->770 705 7acb18e-7acb23e 713 7acb5bf-7acb5e9 705->713 715 7acb5ef-7acb62e 713->715 716 7acb243-7acb459 713->716 715->704 743 7acb465-7acb4af 716->743 746 7acb4b7-7acb4b9 743->746 747 7acb4b1 743->747 750 7acb4c0-7acb4c7 746->750 748 7acb4bb 747->748 749 7acb4b3-7acb4b5 747->749 748->750 749->746 749->748 751 7acb4c9-7acb540 750->751 752 7acb541-7acb567 750->752 751->752 755 7acb569-7acb572 752->755 756 7acb574-7acb580 752->756 757 7acb586-7acb5a5 755->757 756->757 761 7acb5bb-7acb5bc 757->761 762 7acb5a7-7acb5ba 757->762 761->713 762->761 766->705 767->705 768->705 769->705 770->705
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: .$1
                                                                                                                                  • API String ID: 0-1839485796
                                                                                                                                  • Opcode ID: ba2bdf76b7e985c215dac19d492f1c98456c0cac74453bb5c46f8f28c44bb8ad
                                                                                                                                  • Instruction ID: c7ec6e9bdbad3d4c38879f493de252acc4c67cf4d2e0ab9d561a7c9eaadf4eec
                                                                                                                                  • Opcode Fuzzy Hash: ba2bdf76b7e985c215dac19d492f1c98456c0cac74453bb5c46f8f28c44bb8ad
                                                                                                                                  • Instruction Fuzzy Hash: 64F1E1B4E01229CFDB68DF65C944B9DBBB2FF8A305F1081AAD44AA7250DB755E81CF10
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07AC7A4A Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 771 7ac7a4a-7ac7a79 772 7ac7a7b 771->772 773 7ac7a80-7ac7aed call 7ac1ef8 771->773 772->773 779 7ac7af2-7ac7b3f 773->779 783 7ac7d77-7ac7d8b 779->783 785 7ac7b44-7ac7c2e call 7ac1750 783->785 786 7ac7d91-7ac7db5 783->786 802 7ac7d0b-7ac7d1b 785->802 792 7ac7db6 786->792 792->792 804 7ac7d21-7ac7d4b 802->804 805 7ac7c33-7ac7c49 802->805 811 7ac7d4d-7ac7d56 804->811 812 7ac7d57-7ac7d58 804->812 809 7ac7c4b-7ac7c57 805->809 810 7ac7c73 805->810 813 7ac7c59-7ac7c5f 809->813 814 7ac7c61-7ac7c67 809->814 815 7ac7c79-7ac7cde 810->815 811->812 812->783 816 7ac7c71 813->816 814->816 823 7ac7cf7-7ac7d0a 815->823 824 7ac7ce0-7ac7cf6 815->824 816->815 823->802 824->823
                                                                                                                                  Strings
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID: LRcq$PHcq
                                                                                                                                  • API String ID: 0-1536932810
                                                                                                                                  • Opcode ID: 3db6d7d1fbaa4129bb1d46d26002126e5927f3d5062f60a926cef776892f14c9
                                                                                                                                  • Instruction ID: fd02d8cba4d94ff160bb3adc905abf1fce8c49f091e9c72c024b18b722743bc1
                                                                                                                                  • Opcode Fuzzy Hash: 3db6d7d1fbaa4129bb1d46d26002126e5927f3d5062f60a926cef776892f14c9
                                                                                                                                  • Instruction Fuzzy Hash: 87A1D3B4E01219DFDB24DFB5C984BAEBBB2BF89300F1085A9D419AB264DB305D85CF51
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07AC3200 Relevance: .4, Instructions: 426COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 095c8ccb5903b6852a3b983ff00dfa72e124df642dee0e35c5667ac6761a853d
                                                                                                                                  • Instruction ID: 520af62ce5ac90a4de2ad4671e545e068868ebced5a258446dff0c73251a737d
                                                                                                                                  • Opcode Fuzzy Hash: 095c8ccb5903b6852a3b983ff00dfa72e124df642dee0e35c5667ac6761a853d
                                                                                                                                  • Instruction Fuzzy Hash: 16229EB4D00229DFDB65DF68C994BDAB7B2BF89300F1081EAD459A7250EB315E85CF41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07AC8E98 Relevance: .2, Instructions: 190COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 1c8f55c63a9af2cc6380610ecc2fb78232728a753c7816df5c103469bcc5d29d
                                                                                                                                  • Instruction ID: 818e5cd0165326ecda799e215c6691402f3371458fd948f5e9b01a36a3fbb7dd
                                                                                                                                  • Opcode Fuzzy Hash: 1c8f55c63a9af2cc6380610ecc2fb78232728a753c7816df5c103469bcc5d29d
                                                                                                                                  • Instruction Fuzzy Hash: 9291F4B0E01219DFDB64DFA8C944B9DBBB2FF89300F1081A9D859A7251DB346A85CF41
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133AE30 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1170 133ae30-133ae3f 1171 133ae41-133ae4e call 1339838 1170->1171 1172 133ae6b-133ae6f 1170->1172 1179 133ae50 1171->1179 1180 133ae64 1171->1180 1173 133ae83-133aec4 1172->1173 1174 133ae71-133ae7b 1172->1174 1181 133aed1-133aedf 1173->1181 1182 133aec6-133aece 1173->1182 1174->1173 1227 133ae56 call 133b0b8 1179->1227 1228 133ae56 call 133b0c8 1179->1228 1180->1172 1184 133af03-133af05 1181->1184 1185 133aee1-133aee6 1181->1185 1182->1181 1183 133ae5c-133ae5e 1183->1180 1186 133afa0-133afb7 1183->1186 1187 133af08-133af0f 1184->1187 1188 133aef1 1185->1188 1189 133aee8-133aeef call 133a814 1185->1189 1203 133afb9-133b018 1186->1203 1191 133af11-133af19 1187->1191 1192 133af1c-133af23 1187->1192 1190 133aef3-133af01 1188->1190 1189->1190 1190->1187 1191->1192 1195 133af30-133af39 call 133a824 1192->1195 1196 133af25-133af2d 1192->1196 1201 133af46-133af4b 1195->1201 1202 133af3b-133af43 1195->1202 1196->1195 1204 133af69-133af76 1201->1204 1205 133af4d-133af54 1201->1205 1202->1201 1221 133b01a-133b060 1203->1221 1212 133af99-133af9f 1204->1212 1213 133af78-133af96 1204->1213 1205->1204 1206 133af56-133af66 call 133a834 call 133a844 1205->1206 1206->1204 1213->1212 1222 133b062-133b065 1221->1222 1223 133b068-133b093 GetModuleHandleW 1221->1223 1222->1223 1224 133b095-133b09b 1223->1224 1225 133b09c-133b0b0 1223->1225 1224->1225 1227->1183 1228->1183
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B086
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                  • Opcode ID: 536cdaa678ea183bcc3ea55327b19235e600a6c61c14bed27fdf4398b009c447
                                                                                                                                  • Instruction ID: 2bd914cbeaae0fa275f957ef06cd6d6b25dfad55ff3b3936b57ac3bd916a9ea6
                                                                                                                                  • Opcode Fuzzy Hash: 536cdaa678ea183bcc3ea55327b19235e600a6c61c14bed27fdf4398b009c447
                                                                                                                                  • Instruction Fuzzy Hash: E07147B0A00B068FD724DF29D54476ABBF1FF88308F10892DE58ADBA50D774E949CB95
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01334248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1229 1334248-1335a01 CreateActCtxA 1232 1335a03-1335a09 1229->1232 1233 1335a0a-1335a64 1229->1233 1232->1233 1240 1335a73-1335a77 1233->1240 1241 1335a66-1335a69 1233->1241 1242 1335a79-1335a85 1240->1242 1243 1335a88 1240->1243 1241->1240 1242->1243 1245 1335a89 1243->1245 1245->1245
                                                                                                                                  APIs
                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013359F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                  • Opcode ID: c8178cda195fd3ceef5c29f28579479c4554567c4a6c69155fbda54fcfc529c9
                                                                                                                                  • Instruction ID: c47c08a7b5923dac4eb7d39cffdfe0dda88b9147469497704708f55928d07419
                                                                                                                                  • Opcode Fuzzy Hash: c8178cda195fd3ceef5c29f28579479c4554567c4a6c69155fbda54fcfc529c9
                                                                                                                                  • Instruction Fuzzy Hash: 9E41CFB0D0071DCBDB25DFA9C884B9DBBB5FF89304F20806AD408AB251DB75694ACF95
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 01335935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1246 1335935-1335a01 CreateActCtxA 1248 1335a03-1335a09 1246->1248 1249 1335a0a-1335a64 1246->1249 1248->1249 1256 1335a73-1335a77 1249->1256 1257 1335a66-1335a69 1249->1257 1258 1335a79-1335a85 1256->1258 1259 1335a88 1256->1259 1257->1256 1258->1259 1261 1335a89 1259->1261 1261->1261
                                                                                                                                  APIs
                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 013359F1
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: Create
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                  • Opcode ID: 8e361acf5220d43a007542cd2cd91426895087b90ddb7105858ceda1ec655de4
                                                                                                                                  • Instruction ID: a89edc8d49e226e5e34603430f0c44a27bb07ca0bc252ef90c3f0e92e7651e69
                                                                                                                                  • Opcode Fuzzy Hash: 8e361acf5220d43a007542cd2cd91426895087b90ddb7105858ceda1ec655de4
                                                                                                                                  • Instruction Fuzzy Hash: 4241DFB0D00719CEDB25CFA9C984BCDBBB5FF89305F24806AD408AB250DB75694ACF91
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1262 133c9a0-133d394 DuplicateHandle 1264 133d396-133d39c 1262->1264 1265 133d39d-133d3ba 1262->1265 1264->1265
                                                                                                                                  APIs
                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D2C6,?,?,?,?,?), ref: 0133D387
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                  • Opcode ID: c5f22d606dc0280aa699fab3394964be68c0f4602582d57c5991c2b47955cbfc
                                                                                                                                  • Instruction ID: 79111b0edce762dc67707c160ef886e8997bb066fd9da65ea58d3db2d9c42a1b
                                                                                                                                  • Opcode Fuzzy Hash: c5f22d606dc0280aa699fab3394964be68c0f4602582d57c5991c2b47955cbfc
                                                                                                                                  • Instruction Fuzzy Hash: 9021E5B5D003499FDB10CF9AD984ADEBBF4EB48324F14841AE919A3310D374A954CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                  Download Yara Rule

                                                                                                                                  Control-flow Graph

                                                                                                                                  • Executed
                                                                                                                                  • Not Executed
                                                                                                                                  control_flow_graph 1268 133d2f9-133d394 DuplicateHandle 1269 133d396-133d39c 1268->1269 1270 133d39d-133d3ba 1268->1270 1269->1270
                                                                                                                                  APIs
                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0133D2C6,?,?,?,?,?), ref: 0133D387
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                  • Opcode ID: 61410c5f0d3658d2ff9368d0239f28958038795b041ec3748f41b489a636e88e
                                                                                                                                  • Instruction ID: 32d630de830e96f838bf486d6125e6eea0d206382cb69249137eb41bb2fc2faf
                                                                                                                                  • Opcode Fuzzy Hash: 61410c5f0d3658d2ff9368d0239f28958038795b041ec3748f41b489a636e88e
                                                                                                                                  • Instruction Fuzzy Hash: 4C21E2B5D002099FDB10CFA9D985AEEBBF4EB48324F15841AE918B3310D378A954CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0133B101,00000800,00000000,00000000), ref: 0133B312
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 9e747f657afe5c85f10fbfb6e6101cae54d4049212a17d66bdbf7c00672f3d60
                                                                                                                                  • Instruction ID: ab2f2cff2e82797d2a6ff4a388346a0005c1ce5075be258510719e3c8b41c7a0
                                                                                                                                  • Opcode Fuzzy Hash: 9e747f657afe5c85f10fbfb6e6101cae54d4049212a17d66bdbf7c00672f3d60
                                                                                                                                  • Instruction Fuzzy Hash: 681114B6D003499FDB10DF9AD444ADEFBF4EB88325F10852ED929A7200C374A545CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133B2A0 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0133B101,00000800,00000000,00000000), ref: 0133B312
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                  • Opcode ID: 324c6ecfd744ba0f304a3529f84ebd42fbf652fb76e378eef69fc51f88e29445
                                                                                                                                  • Instruction ID: 62eb07c62654b9d171bbb2a9b95fc0e669d1d2c358412ec0c4bb2594841d9c18
                                                                                                                                  • Opcode Fuzzy Hash: 324c6ecfd744ba0f304a3529f84ebd42fbf652fb76e378eef69fc51f88e29445
                                                                                                                                  • Instruction Fuzzy Hash: FC1123B6D003498FDB10CFAAD944BDEFBF4EB88325F14842AD929A7200C374A545CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 0133B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  APIs
                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B086
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125713973.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID: HandleModule
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                  • Opcode ID: 45e0e500b4bb83ab471aa66abf38707e97cfbb6571ce0fc404d6f4b2a0ebc247
                                                                                                                                  • Instruction ID: adca16b85f070ef0b3e3e2f3279f56fdce9696dd304a2a0369a5d7bec9f7479a
                                                                                                                                  • Opcode Fuzzy Hash: 45e0e500b4bb83ab471aa66abf38707e97cfbb6571ce0fc404d6f4b2a0ebc247
                                                                                                                                  • Instruction Fuzzy Hash: 82110FB6C003498FDB20CF9AD944ADEFBF4EB88224F10841AD429B7210C379A549CFA5
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 68064c3bdf2d189c20b727c771d76e813895df8fca651e9fa5cac060f66daf57
                                                                                                                                  • Instruction ID: cafda85710d5dd5547b5eebdcc56521e1c2328e2cd90a89c479f31dccd757949
                                                                                                                                  • Opcode Fuzzy Hash: 68064c3bdf2d189c20b727c771d76e813895df8fca651e9fa5cac060f66daf57
                                                                                                                                  • Instruction Fuzzy Hash: E02167B1514649EFDB01DF98E9C0F26BF65FB84318F24C56DD9090B286C336D416CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fa572c83fb80ecb53c52177b7ccf8da9eb41cc8f648032dc01f761b999fd09e5
                                                                                                                                  • Instruction ID: b63df5cb72b84c8eca99f2672b38f7c65b5e305651ba35d14dc32f7fa6449ef4
                                                                                                                                  • Opcode Fuzzy Hash: fa572c83fb80ecb53c52177b7ccf8da9eb41cc8f648032dc01f761b999fd09e5
                                                                                                                                  • Instruction Fuzzy Hash: D921A9B1510648EFDB01CF88D9C0F66BF65FB84324F24C56DD9090B286C336E406CBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012ED01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125501167.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12ed000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: db0e3c92241e74541550d6621b4c9a41fbd37176be62a32e0290acbb774ad134
                                                                                                                                  • Instruction ID: f5e5c0bf08b4dfcb0c89bfa74288260c128e53339b2a2bc81d048bc40810e11e
                                                                                                                                  • Opcode Fuzzy Hash: db0e3c92241e74541550d6621b4c9a41fbd37176be62a32e0290acbb774ad134
                                                                                                                                  • Instruction Fuzzy Hash: 2A2164B0614208DFCB11CF68D9C8B26BFA1FB84314F68C96DD90A0B242C37BD407CA61
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a9d2fca6cd368564b3cf4f3b4e4fa433d45c4493164d5b5eaabf30113a943e9d
                                                                                                                                  • Instruction ID: 9b398c1561df5036df54ee9aa8ee63cb6bebc262ea4c00457cb7370453cb5417
                                                                                                                                  • Opcode Fuzzy Hash: a9d2fca6cd368564b3cf4f3b4e4fa433d45c4493164d5b5eaabf30113a943e9d
                                                                                                                                  • Instruction Fuzzy Hash: DE112676404684CFCB12CF54E9C4B16BF71FB84318F24C6A9D9490B657C336D45ACBA1
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: a9d2fca6cd368564b3cf4f3b4e4fa433d45c4493164d5b5eaabf30113a943e9d
                                                                                                                                  • Instruction ID: edc202810badddb0963ff5778eb87a43a3144c3f8a33021c898eaa7c073437ca
                                                                                                                                  • Opcode Fuzzy Hash: a9d2fca6cd368564b3cf4f3b4e4fa433d45c4493164d5b5eaabf30113a943e9d
                                                                                                                                  • Instruction Fuzzy Hash: E4112276404684DFDB12CF44D9C4B56BF71FB84324F28C6A9DA090B657C33AE45ACBA2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012ED017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125501167.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12ed000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                                                                                                                  • Instruction ID: b42a709345219da611472b413f5fc2ebc37f3b87cb689606b7621b9a33ff6bef
                                                                                                                                  • Opcode Fuzzy Hash: e64fc474496645f77accdbd1a3ad286c5c0c617209a35917f0f7eb2d8cd15d48
                                                                                                                                  • Instruction Fuzzy Hash: FA11DD75504284CFDB12CF58D5C8B15FFA1FB84314F28C6AAD9494B656C33AD44BCBA2
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD989 Relevance: .0, Instructions: 45COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: fdc76080e19c4f19584c2707330cb38f40d7a75fc1347d46682bcedabe58f004
                                                                                                                                  • Instruction ID: 3e266f99fc9eb3b815a6a59eb4b2d8d985833147422c38776c935cf3e858f9b5
                                                                                                                                  • Opcode Fuzzy Hash: fdc76080e19c4f19584c2707330cb38f40d7a75fc1347d46682bcedabe58f004
                                                                                                                                  • Instruction Fuzzy Hash: 7B012B711157499AE7104EADDDC47A7BF98DF41324F18C81AEE084A1C6C3769844C671
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 012DD988 Relevance: .0, Instructions: 36COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2125458153.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_12dd000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: 8d78762bd51f3c49f83203d7f6236a3853b71fa858e6807404e58cc0edee7560
                                                                                                                                  • Instruction ID: 1195a56df3cfb3a56ad0b7ce8bfb4743751f39234104eb606a296a23e9a1e0d7
                                                                                                                                  • Opcode Fuzzy Hash: 8d78762bd51f3c49f83203d7f6236a3853b71fa858e6807404e58cc0edee7560
                                                                                                                                  • Instruction Fuzzy Hash: CBF0F671405744AEE7108E5ADD84BA3FF98EF40734F18C45AEE484B286C3799844CA71
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Non-executed Functions

                                                                                                                                  Function 07AC6D81 Relevance: .0, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: db1a8c2c624cb0516b043b32af82fab924cd5cf70af8c2f7a88e869e8ff6cfb6
                                                                                                                                  • Instruction ID: 69dae33514756f532a3c52e48f3fdc94dc550b2c577f65311f4241d60bc64e2e
                                                                                                                                  • Opcode Fuzzy Hash: db1a8c2c624cb0516b043b32af82fab924cd5cf70af8c2f7a88e869e8ff6cfb6
                                                                                                                                  • Instruction Fuzzy Hash: 88E09AB0C5A50EEADB14CFA2C101BFFF7B4AB82210F20584EC81177298DFB046448E62
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%

                                                                                                                                  Function 07AC0CED Relevance: .0, Instructions: 25COMMON
                                                                                                                                  Download Yara Rule
                                                                                                                                  Memory Dump Source
                                                                                                                                  • Source File: 00000002.00000002.2156716333.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                  • Snapshot File: hcaresult_2_2_7ac0000_RegAsm.jbxd
                                                                                                                                  Similarity
                                                                                                                                  • API ID:
                                                                                                                                  • String ID:
                                                                                                                                  • API String ID:
                                                                                                                                  • Opcode ID: d6e99e827150008ddb3b9ab215791691da950fcfc30ef683aa80230dd901d693
                                                                                                                                  • Instruction ID: cdea3c2a3d6d061ced141a82c4823cd7f737e946a4bcfaf3462b9e2a014cd86f
                                                                                                                                  • Opcode Fuzzy Hash: d6e99e827150008ddb3b9ab215791691da950fcfc30ef683aa80230dd901d693
                                                                                                                                  • Instruction Fuzzy Hash: 88F039F0C0521AEBEB20CF10DC587BEBAB0BB06319F10645CD026B3194CB749684CF84
                                                                                                                                  Uniqueness

                                                                                                                                  Uniqueness Score: -1.00%