Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1417543
MD5:57527c8a34c0cac7dae9e528bfc54af0
SHA1:48f6cb641842cc47e06c04e94064e0e33edb8af8
SHA256:52c8947c40ed9f6facea49a5986f4232af6aadd73fbc395de25bfce50bc8a7e2
Tags:exe
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6108 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 57527C8A34C0CAC7DAE9E528BFC54AF0)
    • conhost.exe (PID: 2140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 772 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • WerFault.exe (PID: 7204 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 980 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "5.42.65.0:29587", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: file.exe PID: 6108JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.3d05570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.file.exe.3d05570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    2.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:03/29/24-15:35:59.551811
                      SID:2046056
                      Source Port:29587
                      Destination Port:49730
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/29/24-15:35:54.093174
                      SID:2046045
                      Source Port:49730
                      Destination Port:29587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/29/24-15:36:06.573665
                      SID:2043231
                      Source Port:49730
                      Destination Port:29587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/29/24-15:35:54.296392
                      SID:2043234
                      Source Port:29587
                      Destination Port:49730
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "5.42.65.0:29587", "Bot Id": "LogsDiller Cloud (TG: @logsdillabot)", "Authorization Header": "3a050df92d0cf082b2cdaf87863616be"}
                      Multi AV Scanner detection for submitted file
                      Source: file.exeReversingLabs: Detection: 21%
                      Source: file.exeVirustotal: Detection: 29%Perma Link
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: Birding.pdb source: file.exe, WERA371.tmp.dmp.5.dr
                      Source: Binary string: $$.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Birding.pdbO source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oC:\Users\user\Desktop\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: symbols\exe\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: Birding.pdbh, source: file.exe
                      Source: Binary string: C:\Windows\Birding.pdbpdbing.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: \??\C:\Windows\exe\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: n0C:\Windows\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: nHC:\Users\user\Desktop\Birding.pdb (* source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: Birding.pdbirding.pdbpdbing.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: o.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49730 -> 5.42.65.0:29587
                      Source: TrafficSnort IDS: 2043231 ET TROJAN Redline Stealer TCP CnC Activity 192.168.2.4:49730 -> 5.42.65.0:29587
                      Source: TrafficSnort IDS: 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response 5.42.65.0:29587 -> 192.168.2.4:49730
                      Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 5.42.65.0:29587 -> 192.168.2.4:49730
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 5.42.65.0:29587
                      Connects to many ports of the same IP (likely port scanning)
                      Source: global trafficTCP traffic: 5.42.65.0 ports 2,5,29587,7,8,9
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 5.42.65.0:29587
                      Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.42.65.0
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000029B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A16000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000029B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002A16000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                      Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: file.exe, 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: file.exe, N7DqHW1SfWWTc7uyO9f.csLarge array initialization: N7DqHW1SfWWTc7uyO9f: array initializer size 308224
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011610D80_2_011610D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_026C25D82_2_026C25D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_026CDC742_2_026CDC74
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 980
                      Source: file.exe, 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRanter.exe8 vs file.exe
                      Source: file.exe, 00000000.00000002.1729098350.0000000000F0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                      Source: file.exe, 00000000.00000000.1611638477.00000000008F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBirding.exe4 vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenameBirding.exe4 vs file.exe
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/6@0/1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6108
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\8e81f15b-2929-46a0-85df-b1bb97f48110Jump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, 00000002.00000002.1763200672.0000000002E4B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E5A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: file.exeReversingLabs: Detection: 21%
                      Source: file.exeVirustotal: Detection: 29%
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 980
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: Birding.pdb source: file.exe, WERA371.tmp.dmp.5.dr
                      Source: Binary string: $$.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\symbols\exe\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Birding.pdbO source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: oC:\Users\user\Desktop\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.pdb source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: symbols\exe\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Users\user\Desktop\file.PDB source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdb source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: Birding.pdbh, source: file.exe
                      Source: Binary string: C:\Windows\Birding.pdbpdbing.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: mscorlib.ni.pdbRSDS source: WERA371.tmp.dmp.5.dr
                      Source: Binary string: \??\C:\Windows\exe\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: \??\C:\Windows\Birding.pdb source: file.exe, 00000000.00000002.1729098350.0000000000F47000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: n0C:\Windows\Birding.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: nHC:\Users\user\Desktop\Birding.pdb (* source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: Birding.pdbirding.pdbpdbing.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: Binary string: o.pdb source: file.exe, 00000000.00000002.1728868057.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
                      Source: file.exeStatic PE information: section name: .text entropy: 7.71765723004061
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 2A40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 28C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2532Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7472Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5428Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Amcache.hve.5.drBinary or memory string: VMware
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: RegAsm.exe, 00000002.00000002.1762106155.0000000000B71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                      Source: Amcache.hve.5.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                      Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D05231 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,0_2_02D05231
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 61D008Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: RegAsm.exe, 00000002.00000002.1782014629.00000000059FE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1762384037.0000000000C2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3d05570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3d05570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 6108, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 772, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 772, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.file.exe.3d05570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.3d05570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 6108, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 772, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		241
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
                      Virtualization/Sandbox Evasion                      		Security Account Manager251
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Obfuscated Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe21%ReversingLabs
                      file.exe29%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                      5.42.65.0:295870%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      5.42.65.0:295872%VirustotalBrowse
                      http://tempuri.org/Entity/Id23ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id12Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response4%VirustotalBrowse
                      http://tempuri.org/Entity/Id81%VirustotalBrowse
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id91%VirustotalBrowse
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id71%VirustotalBrowse
                      http://tempuri.org/Entity/Id61%VirustotalBrowse
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id51%VirustotalBrowse
                      http://tempuri.org/Entity/Id19Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id13ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id41%VirustotalBrowse
                      http://tempuri.org/Entity/Id14ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id15Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id201%VirustotalBrowse
                      http://tempuri.org/Entity/Id5ResponseD2%VirustotalBrowse
                      http://tempuri.org/Entity/Id1ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/1%VirustotalBrowse
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id211%VirustotalBrowse
                      http://tempuri.org/Entity/Id221%VirustotalBrowse
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id241%VirustotalBrowse
                      http://tempuri.org/Entity/Id231%VirustotalBrowse
                      http://tempuri.org/Entity/Id1Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response1%VirustotalBrowse
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id111%VirustotalBrowse
                      http://tempuri.org/Entity/Id21ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id10ResponseD1%VirustotalBrowse
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response2%VirustotalBrowse
                      http://tempuri.org/Entity/Id131%VirustotalBrowse
                      http://tempuri.org/Entity/Id141%VirustotalBrowse
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id171%VirustotalBrowse
                      http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id181%VirustotalBrowse
                      http://tempuri.org/Entity/Id161%VirustotalBrowse
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id151%VirustotalBrowse
                      http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id101%VirustotalBrowse
                      http://tempuri.org/Entity/Id121%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      5.42.65.0:29587true
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id14ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 2%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • 1%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • 2%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 4%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • 1%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id6ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • 1%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id4RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id7RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://tempuri.org/Entity/Id6RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • 1%, Virustotal, Browse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • 2%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id13ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 1%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 2%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/Entity/Id5ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • 2%, Virustotal, Browse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000002.00000002.1763200672.00000000029B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • 2%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.ip.sb/ipfile.exe, 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    • 1%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • 2%, Virustotal, Browse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id20RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id21RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id22RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • 1%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id23RegAsm.exe, 00000002.00000002.1763200672.0000000002A6E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • 1%, Virustotal, Browse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id24RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • 1%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                • 1%, Virustotal, Browse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.1763200672.0000000002F88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002EF3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1763200672.0000000002E8C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  • 2%, Virustotal, Browse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id21ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                • 1%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id10ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • 2%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id13RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id14RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id15RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id16RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • 1%, Virustotal, Browse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id17RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id18RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • 1%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://tempuri.org/Entity/Id19RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id15ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id11ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002A16000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id17ResponseDRegAsm.exe, 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000002.00000002.1763200672.00000000028C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high

                                                                                                                              World Map of Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public IPs

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              5.42.65.0
                                                                                                                              		unknownRussian Federation
                                                                                                                              		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                                                                                                                              General Information

                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                              Analysis ID:1417543
                                                                                                                              Start date and time:2024-03-29 15:35:06 +01:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 4m 53s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:14
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:file.exe
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@5/6@0/1
                                                                                                                              EGA Information:
                                                                                                                              • Successful, ratio: 100%
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 100%
                                                                                                                              • Number of executed functions: 24
                                                                                                                              • Number of non-executed functions: 0
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                              Warnings

                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, MoUsoCoreWorker.exe, svchost.exe
                                                                                                                              • Excluded IPs from analysis (whitelisted): 20.42.65.92
                                                                                                                              • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              TimeTypeDescription
                                                                                                                              15:36:02API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                              15:36:04API Interceptor15x Sleep call for process: RegAsm.exe modified

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              5.42.65.0mxsujj4FZz.exeGet hashmaliciousGCleaner, RedLineBrowse
                                                                                                                                file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                  i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                    file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse

                                                                                                                                      Domains

                                                                                                                                      No context

                                                                                                                                      ASNs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUl2ZKczbGRq.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                      • 5.42.64.17
                                                                                                                                      mxsujj4FZz.exeGet hashmaliciousGCleaner, RedLineBrowse
                                                                                                                                      • 5.42.65.115
                                                                                                                                      uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                      • 5.42.64.17
                                                                                                                                      oKum4jX2X3.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                                                                                                      • 5.42.64.3
                                                                                                                                      oKum4jX2X3.exeGet hashmaliciousGCleaner, NymaimBrowse
                                                                                                                                      • 5.42.64.3
                                                                                                                                      http://prident-group.comGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                                                                                      • 5.42.65.39
                                                                                                                                      file.exeGet hashmaliciousRedLineBrowse
                                                                                                                                      • 5.42.65.0
                                                                                                                                      i1crvbOZAP.exeGet hashmaliciousAmadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoaderBrowse
                                                                                                                                      • 5.42.65.117
                                                                                                                                      file.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                      • 5.42.65.117
                                                                                                                                      file.exeGet hashmaliciousPureLog Stealer, RedLineBrowse
                                                                                                                                      • 5.42.65.0

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ae7d64117abde393135f60f3ce12271aaf02d_15d7fe2e_da9ee3a9-7ff8-4221-a127-8599a91af210\Report.wer

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):65536
                                                                                                                                      Entropy (8bit):0.8770668885156737
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:MHUaKBUyvdP4GKc0BU/fIxauvzuiFSZ24IO8eBwru:9tdnKXBU/iaWzuiFSY4IO8e0
                                                                                                                                      MD5:40454916BC6AD2AB0858DE44E4ECE31C
                                                                                                                                      SHA1:25D27DAF6E67EFA8EB1C4BFA407F9F2E3A1B5F5C
                                                                                                                                      SHA-256:43801A77974EA40514A4E511E5F6D2BF2EBC9261031F3A624CE7704BFEB7C581
                                                                                                                                      SHA-512:54097CE59ED67B35703C36D2E97DFE94123E1093B6408BD64B4F49977BA4544D6DCF4CCAF2A1A6318E9E361A77452DFB025410DDD4A8DAD43305F0C895A4DE70
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.9.6.5.5.1.7.0.3.9.6.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.9.6.5.5.2.4.2.2.7.2.3.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.9.e.e.3.a.9.-.7.f.f.8.-.4.2.2.1.-.a.1.2.7.-.8.5.9.9.a.9.1.a.f.2.1.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.c.b.7.2.4.3.d.-.f.8.e.6.-.4.b.0.4.-.8.b.1.f.-.9.a.f.7.f.9.d.0.8.f.0.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.B.i.r.d.i.n.g...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.d.c.-.0.0.0.1.-.0.0.1.4.-.7.a.9.a.-.b.e.6.5.e.6.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.4.2.7.3.f.a.4.7.5.8.9.1.c.6.5.2.c.3.5.0.9.2.e.f.c.a.c.5.7.0.4.0.0.0.0.0.0.0.0.!.0.0.0.0.4.8.f.6.c.b.6.4.1.8.4.2.c.c.4.7.e.0.6.c.0.4.e.9.4.0.6.4.e.0.e.3.3.e.d.b.8.a.f.8.!.f.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA371.tmp.dmp

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:Mini DuMP crash report, 15 streams, Fri Mar 29 14:35:52 2024, 0x1205a4 type
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):145204
                                                                                                                                      Entropy (8bit):3.3311464800042287
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:1536:ZB9XpN4uE2aOJLTgO6T/z0nCDm3Ypk9e7KONDIJ:Znn4uEqJLTgtT/Dt
                                                                                                                                      MD5:538F37CAF2814B60B0339C2F3136D9F6
                                                                                                                                      SHA1:FB82B8CB07D56D8EA2BAB6BE4A49415E303B588C
                                                                                                                                      SHA-256:8475C56D112F8DA98DAFCA1F4E50CAD96CB131C96FC97DF2912324E25777837C
                                                                                                                                      SHA-512:D32F912816CC68BED3776FDE879AC7AB1A86AD3FEDE5CEAF474FCD28EB3E385A3A4254602B4D1EABE00CA6B3B396619E1A1BD536536B7BCD8DC1B7DDAA06D7C1
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:MDMP..a..... ..........f........................4...........$................8..........`.......8...........T............&..d.......................................................................................................eJ......t.......GenuineIntel............T..............f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4DA.tmp.WERInternalMetadata.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):8310
                                                                                                                                      Entropy (8bit):3.694581853276541
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:192:R6l7wVeJFCjN6Km6Y98SU9VingmfB+4JdcGprB89bKjQsf8UJum:R6lXJCN6L6YmSU9VingmfE4JdcdKjjfT
                                                                                                                                      MD5:EC2AE5F5B23CEDE5355E3E898E4B7790
                                                                                                                                      SHA1:A7D45EABEDCC86B93E3511BDC2E7992934234928
                                                                                                                                      SHA-256:85D803DEFFC31CA7C6B1F09910E68D13586D36BB0CC0D5D6FB2B5E48939F4A1B
                                                                                                                                      SHA-512:D1488FB043FF8D4D274FB6F2F0AF00507FD7549CED5E9B6A80D957DA69A0D2D5D91EBD5DA799BC16852D3B7EECA22D6EADC6FEBAEAD9A555BC3036C4E89AC2CA
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.0.8.<./.P.i.

                                                                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERA529.tmp.xml

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):4627
                                                                                                                                      Entropy (8bit):4.452858689116166
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:48:cvIwWl8zsJ4Jg77aI9RuWpW8VYrAYm8M4J8AFHSo+q8kyoYld:uIjfoI7PP7VyNJCowoYld
                                                                                                                                      MD5:0321B8E68D10C362958054AC0B30AF0B
                                                                                                                                      SHA1:1842CC571A6DBC3E17727E136DD1298287516D4F
                                                                                                                                      SHA-256:49D9DA1DE7698B074AFED6DE86FCAA450790560AE3B8299347BC9A623A429740
                                                                                                                                      SHA-512:3A6BA581B367C1958597FD311C29AEC56DA5E11165D55353380D7DBF14A2C12F4EEAA42B660DD403F4D870A33A8744D8619E1E1B108BC4E61D3203270200BAD6
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="256658" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):3094
                                                                                                                                      Entropy (8bit):5.33145931749415
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                      MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                      SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                      SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                      SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                      Download File
                                                                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1835008
                                                                                                                                      Entropy (8bit):4.4655643327005
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:TIXfpi67eLPU9skLmb0b4OWSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbm:EXD94OWlLZMM6YFH1+m
                                                                                                                                      MD5:CF7810346F54F7CB5DE392CC3F909EBC
                                                                                                                                      SHA1:6F3CFBF4864E271E7798A120F4793E106CBCB382
                                                                                                                                      SHA-256:C539DF25C68EDA88BE9B1DE61973FBAF6EA99EB46A3066B5733E5FEAE8FCE312
                                                                                                                                      SHA-512:925708E3A1CFCFA43C3467F9B2B8678954CC264CD6A91F69A1A22C3B93F662E9134B48FA3AE2157A360913A163769F18E60B0C59D85581FA7316E162F753118A
                                                                                                                                      Malicious:false
                                                                                                                                      Reputation:low
                                                                                                                                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.a.f................................................................................................................................................................................................................................................................................................................................................z.R........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                      Entropy (8bit):7.70166996940082
                                                                                                                                      TrID:
                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                      File name:file.exe
                                                                                                                                      File size:399'360 bytes
                                                                                                                                      MD5:57527c8a34c0cac7dae9e528bfc54af0
                                                                                                                                      SHA1:48f6cb641842cc47e06c04e94064e0e33edb8af8
                                                                                                                                      SHA256:52c8947c40ed9f6facea49a5986f4232af6aadd73fbc395de25bfce50bc8a7e2
                                                                                                                                      SHA512:8690348f1efe3c070b5e0df344b3f3e048684e784f6c29a0cea727a1b7a42395d7d2d2ed73602ab0f31813d363fc3d6584a70702571ce1182fc5e3ec808d98fa
                                                                                                                                      SSDEEP:6144:TQQpEcFOPQfoMnM09GVFC/dKejaM7ggQEiLMuZTiyoSVDl7J9PhgVv5RK:TQQpdFOYf5InCFKMatPTilSVh77Qr
                                                                                                                                      TLSH:0C84D0247BEB151AE26FAB735EF126C9897B73103F639B6E108012354DB7701BE92931
                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.............................,... ...@....@.. ....................................`................................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                                      Static PE Info

                                                                                                                                      General

                                                                                                                                      Entrypoint:0x462c8e
                                                                                                                                      Entrypoint Section:.text
                                                                                                                                      Digitally signed:false
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      Subsystem:windows cui
                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                      Time Stamp:0x66069D8D [Fri Mar 29 10:53:01 2024 UTC]
                                                                                                                                      TLS Callbacks:
                                                                                                                                      CLR (.Net) Version:
                                                                                                                                      OS Version Major:4
                                                                                                                                      OS Version Minor:0
                                                                                                                                      File Version Major:4
                                                                                                                                      File Version Minor:0
                                                                                                                                      Subsystem Version Major:4
                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                      Entrypoint Preview

                                                                                                                                      Instruction
                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al
                                                                                                                                      add byte ptr [eax], al

                                                                                                                                      Data Directories

                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x62c400x4b.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x554.rsrc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000xc.reloc
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x62bfc0x1c.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                      Sections

                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                      .text0x20000x60c940x60e00380d1f8bd83b7ebccc5d14a8e07f8031False0.8819178427419355data7.71765723004061IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                      .rsrc0x640000x5540x600216d4f0c5746f9785ab164176c8b8188False0.4095052083333333data3.985544267443627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                      .reloc0x660000xc0x200843ab18880dc4690acd7e2aade654796False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                      Resources

                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                      RT_VERSION0x640a00x2c8data0.45786516853932585
                                                                                                                                      RT_MANIFEST0x643680x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                      Imports

                                                                                                                                      DLLImport
                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      03/29/24-15:35:59.551811TCP2046056ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)29587497305.42.65.0192.168.2.4
                                                                                                                                      03/29/24-15:35:54.093174TCP2046045ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)4973029587192.168.2.45.42.65.0
                                                                                                                                      03/29/24-15:36:06.573665TCP2043231ET TROJAN Redline Stealer TCP CnC Activity4973029587192.168.2.45.42.65.0
                                                                                                                                      03/29/24-15:35:54.296392TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response29587497305.42.65.0192.168.2.4

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Mar 29, 2024 15:35:53.660373926 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:53.848460913 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:53.848661900 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:53.872946978 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:54.060920000 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:54.093173981 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:54.296391964 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:54.350408077 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:59.356489897 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:59.551810980 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.551831007 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.551842928 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.551850080 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.551863909 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.551958084 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:59.600397110 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:59.778795958 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:35:59.967582941 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:35:59.972398996 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:00.159809113 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:00.168798923 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:00.357350111 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:00.364857912 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:00.552155972 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:00.554006100 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:00.741846085 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:00.747952938 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:00.935761929 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:00.991050005 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.061022997 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.250534058 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:01.303540945 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.332551003 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.521480083 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:01.531225920 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.718831062 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:01.772303104 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:01.836384058 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.022897959 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.023135900 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.023268938 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.211822987 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.212011099 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.213824987 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.216475964 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.216543913 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.216643095 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.400888920 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.400907040 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.401057005 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.401190996 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.401336908 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.401349068 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.401350975 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.401494026 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.404664040 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.404752970 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.404980898 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.405045986 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.587707996 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.587799072 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.587831020 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.587903976 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.587949991 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.588232994 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.588725090 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.589159012 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.589224100 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.589245081 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.589510918 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.589586973 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.592494011 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.593225002 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.775017023 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.775208950 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.775765896 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.776074886 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.776185989 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.776702881 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777194023 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777208090 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777404070 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777519941 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777533054 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.777903080 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.778264046 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.778697014 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.779272079 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.779643059 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.780045033 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.787179947 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.787297010 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.962723970 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.962950945 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.962979078 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.963160992 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.963417053 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.964363098 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.964528084 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.964607000 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.964858055 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.964947939 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.974200010 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.974236012 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.974349022 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.974968910 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.974982977 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.975071907 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.975929022 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:02.976203918 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:02.976273060 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.153655052 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.153676033 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.153688908 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.154150009 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.154249907 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.154261112 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.164275885 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.164290905 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.342143059 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.342370987 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.342456102 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.342533112 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.342628956 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.343565941 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.345820904 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.345841885 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.346436024 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.348201036 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.531440973 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.531457901 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.531487942 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.531531096 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.534913063 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.536444902 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.540431976 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.568744898 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:03.756285906 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:03.758394957 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.069175959 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.244786024 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.252971888 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.255450010 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.439992905 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.440243959 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.442152977 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.491044044 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.498805046 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.688735962 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.688795090 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.765517950 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:04.767286062 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:04.955451965 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:05.006660938 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:05.421439886 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:05.609436035 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:05.610234022 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:05.614685059 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:05.928541899 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:06.103926897 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:06.115806103 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:06.143971920 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:06.331773996 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:06.332171917 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:06.521018982 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:06.571521997 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:06.573664904 CET4973029587192.168.2.45.42.65.0
                                                                                                                                      Mar 29, 2024 15:36:06.779428959 CET29587497305.42.65.0192.168.2.4
                                                                                                                                      Mar 29, 2024 15:36:06.812617064 CET4973029587192.168.2.45.42.65.0

                                                                                                                                      Statistics

                                                                                                                                      CPU Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      Memory Usage

                                                                                                                                      Click to jump to process

                                                                                                                                      High Level Behavior Distribution

                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      General

                                                                                                                                      Target ID:0
                                                                                                                                      Start time:15:35:51
                                                                                                                                      Start date:29/03/2024
                                                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                      Imagebase:0x890000
                                                                                                                                      File size:399'360 bytes
                                                                                                                                      MD5 hash:57527C8A34C0CAC7DAE9E528BFC54AF0
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1730445077.0000000003D05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:low
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:1
                                                                                                                                      Start time:15:35:51
                                                                                                                                      Start date:29/03/2024
                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                      File size:862'208 bytes
                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:2
                                                                                                                                      Start time:15:35:51
                                                                                                                                      Start date:29/03/2024
                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                      Imagebase:0x520000
                                                                                                                                      File size:65'440 bytes
                                                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1759645891.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1763200672.0000000002954000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      General

                                                                                                                                      Target ID:5
                                                                                                                                      Start time:15:35:51
                                                                                                                                      Start date:29/03/2024
                                                                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6108 -s 980
                                                                                                                                      Imagebase:0xcf0000
                                                                                                                                      File size:483'680 bytes
                                                                                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high
                                                                                                                                      Has exited:true

                                                                                                                                      Disassembly

                                                                                                                                      Reset < >

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:36.3%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:22.6%
                                                                                                                                        Total number of Nodes:53
                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                        execution_graph 801 2d05231 807 2d05269 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 801->807 803 2d05446 WriteProcessMemory 804 2d0548b 803->804 805 2d05490 WriteProcessMemory 804->805 806 2d054cd WriteProcessMemory Wow64SetThreadContext ResumeThread 804->806 805->804 807->803 808 1160850 811 1160862 808->811 809 1160859 812 11608f4 811->812 813 1160880 811->813 812->809 813->812 816 1160b39 813->816 831 1160b72 816->831 817 1160bc3 822 11610c7 VirtualProtectEx 817->822 823 11610d8 VirtualProtectEx 817->823 818 1160be8 821 1160956 818->821 824 11610c7 VirtualProtectEx 818->824 827 11610d8 VirtualProtectEx 818->827 845 116161e 818->845 850 1161750 818->850 819 1160c4f 819->821 854 11618e8 819->854 821->809 822->818 823->818 824->819 827->819 834 11610c7 831->834 839 11610d8 831->839 837 1161102 834->837 838 11612c7 834->838 835 11617ae VirtualProtectEx 836 11617df 835->836 836->817 837->835 837->838 838->817 840 11612c7 839->840 841 1161102 839->841 840->817 841->840 842 11617ae VirtualProtectEx 841->842 844 1161730 841->844 843 11617df 842->843 843->817 844->817 847 11615c3 845->847 846 11617ae VirtualProtectEx 848 11617df 846->848 847->846 847->847 849 1161730 847->849 848->819 849->819 851 116179b VirtualProtectEx 850->851 853 11617df 851->853 853->819 855 1161933 CreateThread 854->855 857 1160d05 855->857 858 1161828 857->858 862 1161830 857->862 859 1161870 CreateThread 858->859 861 11618a4 859->861 861->821 863 1161870 CreateThread 862->863 865 11618a4 863->865 865->821 866 1160938 867 1160946 866->867 869 1160b39 7 API calls 867->869 868 1160956 869->868

                                                                                                                                        Callgraph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        • Opacity -> Relevance
                                                                                                                                        • Disassembly available
                                                                                                                                        callgraph 0 Function_01160414 1 Function_01160114 2 Function_01160210 3 Function_0116161E 4 Function_0116021C 5 Function_01160318 6 Function_01160006 7 Function_01160200 8 Function_01160408 9 Function_01160308 10 Function_01160108 11 Function_01160335 12 Function_01160130 13 Function_01161830 14 Function_01161030 15 Function_01160531 16 Function_0116013C 17 Function_0116023C 18 Function_01160938 21 Function_01160B39 18->21 19 Function_01160D38 91 Function_011601D8 19->91 20 Function_01160A38 46 Function_01160970 20->46 21->3 21->13 21->14 28 Function_01161828 21->28 30 Function_01161029 21->30 34 Function_01161750 21->34 21->46 89 Function_011610D8 21->89 93 Function_011610C7 21->93 117 Function_011618E8 21->117 22 Function_01160324 23 Function_01160424 24 Function_01160120 25 Function_0116022C 26 Function_01160D2C 26->91 27 Function_0116052D 29 Function_01160529 31 Function_01160354 32 Function_01160154 33 Function_01160850 52 Function_01160862 33->52 35 Function_0116025C 36 Function_0116055D 37 Function_01160458 38 Function_01160559 39 Function_0116024C 40 Function_0116004D 41 Function_01160148 42 Function_01160348 43 Function_01160174 44 Function_01160475 45 Function_01160070 46->46 47 Function_01160471 48 Function_01160378 49 Function_01160E66 50 Function_01160164 51 Function_01160465 52->21 53 Function_01160060 54 Function_01160360 55 Function_01160561 56 Function_01160961 56->46 57 Function_0116036C 58 Function_01160E6C 58->91 59 Function_0116026D 60 Function_0116046D 61 Function_01160469 62 Function_01160A92 62->46 63 Function_01160090 64 Function_01160390 65 Function_01160490 66 Function_0116039C 67 Function_01160198 68 Function_01160384 69 Function_01160080 70 Function_01160180 71 Function_0116018C 72 Function_0116028D 73 Function_011603B4 74 Function_011601B4 75 Function_01160EB4 75->91 76 Function_011602B0 77 Function_011600B0 78 Function_011600BC 79 Function_011602BC 80 Function_011600A0 81 Function_01160AA0 81->46 82 Function_011601A8 83 Function_011603A8 84 Function_01160FD6 85 Function_011602D4 86 Function_011600D4 87 Function_011604DF 88 Function_01160FDC 88->91 90 Function_011603D8 92 Function_011619D8 94 Function_011619C4 95 Function_011601C5 96 Function_011604C5 97 Function_01160EC0 97->91 98 Function_011603C0 99 Function_011604C1 100 Function_011603CC 101 Function_011602C8 102 Function_011600C8 103 Function_011604C9 104 Function_02D05231 105 Function_011601F4 106 Function_011604F5 107 Function_011600F0 108 Function_011603F0 109 Function_011604F1 110 Function_011600FC 111 Function_011603FC 112 Function_011602F8 113 Function_011604F9 114 Function_011600E4 115 Function_011601E4 116 Function_011603E4 118 Function_011619E8

                                                                                                                                        Executed Functions

                                                                                                                                        Function 02D05231 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 282threadinjectionmemoryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        APIs
                                                                                                                                        • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02D053A0
                                                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02D053B3
                                                                                                                                        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02D053D1
                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02D053F5
                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02D05420
                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02D05478
                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02D054C3
                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02D05501
                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 02D0553D
                                                                                                                                        • ResumeThread.KERNELBASE(?), ref: 02D0554C
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729667675.0000000002D05000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D05000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_2d05000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                        • String ID: GetP$Load$aryA$ress
                                                                                                                                        • API String ID: 2687962208-977067982
                                                                                                                                        • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                        • Instruction ID: 82e3596574ac35d8bf6320349be3eed8a654faad338accbe8e46f9d08b9316dc
                                                                                                                                        • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                        • Instruction Fuzzy Hash: 82B1E57664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB351D774FA41CB94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 011610D8 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 559COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 23 11610d8-11610fc 24 11612c7-11612ce 23->24 25 1161102-1161107 23->25 26 116112e-1161133 25->26 27 1161109-1161115 25->27 31 116113a-116113f 26->31 27->26 28 1161117-1161123 27->28 28->26 29 1161125-116112c 28->29 29->31 32 1161145-1161151 31->32 33 11612cf-1161320 31->33 32->33 34 1161157-1161163 32->34 41 1161322-1161332 33->41 34->33 35 1161169-1161196 34->35 42 116119d-11611b3 35->42 45 1161334-116134a 41->45 42->33 46 11611b9-11611ff 42->46 51 116134d-11613b6 45->51 46->33 56 1161205-116124b 46->56 74 11613fa-1161404 51->74 75 11613b8-11613bc 51->75 56->33 65 1161251-1161260 56->65 65->33 67 1161262-116126e 65->67 67->33 68 1161270-116127c 67->68 68->33 70 116127e-116128a 68->70 70->33 71 116128c-1161298 70->71 71->33 73 116129a-11612a6 71->73 73->33 79 11612a8-11612b4 73->79 74->51 78 116140a-116149a 74->78 76 11613be-11613c3 75->76 77 11613cb-11613de 75->77 76->77 83 11613e4-11613f3 77->83 84 116173a-11617dd VirtualProtectEx 77->84 104 116149c-11614a1 78->104 105 11614a9-11614af 78->105 79->33 80 11612b6-11612c1 79->80 80->24 80->25 83->74 91 11617e6-1161816 84->91 92 11617df-11617e5 84->92 92->91 104->105 105->84 106 11614b5-11614ce 105->106 106->84 108 11614d4-11614f5 106->108 108->51 110 11614fb-1161503 108->110 111 1161506-116150d 110->111 112 116150f-1161516 111->112 113 1161558-1161561 111->113 112->113 115 1161518-1161524 112->115 113->84 114 1161567-1161575 113->114 114->84 116 116157b-1161589 114->116 115->84 117 116152a-1161537 115->117 116->84 118 116158f-116159c 116->118 117->84 119 116153d-116154c 117->119 118->84 122 11615a2-11615b2 118->122 120 1161555 119->120 121 116154e-1161554 119->121 120->113 121->120 122->111 123 11615b8-11615c0 122->123 124 11615c3-11615cf 123->124 125 11615d5-11615de 124->125 126 1161723-116172a 124->126 127 11615e7-11615f6 125->127 128 11615e0-11615e6 125->128 126->124 129 1161730-1161737 126->129 127->84 130 11615fc-1161608 127->130 128->127 131 1161611-116162c 130->131 132 116160a-1161610 130->132 131->84 134 1161632-1161640 131->134 132->131 134->84 135 1161646-1161651 134->135 136 1161657-116165e 135->136 137 11616e9-1161700 135->137 136->137 138 1161664-116166d 136->138 141 1161702-116170f 137->141 142 1161711-116171d 137->142 138->84 140 1161673-1161683 138->140 140->84 143 1161689-11616a1 140->143 141->141 141->142 142->125 142->126 144 11616a3-11616aa 143->144 145 11616ab-11616b4 143->145 144->145 145->84 146 11616ba-11616d3 145->146 148 11616d5-11616d7 146->148 149 11616e1-11616e7 146->149 148->149 149->137
                                                                                                                                        Strings
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729355752.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID: d
                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                        • Opcode ID: 7803a1f09c9b68778b69dd97d9a3449943129ec75a5b38afe1c1d478b02b7477
                                                                                                                                        • Instruction ID: bb2a3fd5424e7b190cd79301a99bade69d39e98db3b01e96875da572c85af4bf
                                                                                                                                        • Opcode Fuzzy Hash: 7803a1f09c9b68778b69dd97d9a3449943129ec75a5b38afe1c1d478b02b7477
                                                                                                                                        • Instruction Fuzzy Hash: 6332D130A002559FCB1ACFA9C090A9DFBF2FF89314F59C559D459AB252CB35EC82CB94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 011618E8 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 231 11618e8-116193f 233 1161941-116194d 231->233 234 116194f-1161991 CreateThread 231->234 233->234 236 1161993-1161999 234->236 237 116199a-11619bf 234->237 236->237
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(?,?,?,00000000,?,?), ref: 01161984
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729355752.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                        • Opcode ID: 38563f51ab871274f2d3d93a500f82f941fc5760fcb642a28d08df9589551a67
                                                                                                                                        • Instruction ID: 5f3ce604e0c89e5c5e0efd25b75ea98a9482fa1f64c4b0c76ca99bda46c0d1de
                                                                                                                                        • Opcode Fuzzy Hash: 38563f51ab871274f2d3d93a500f82f941fc5760fcb642a28d08df9589551a67
                                                                                                                                        • Instruction Fuzzy Hash: C92124B19003099FCB10CFA9D980ADEBBF5FF48310F10842AE919A7210D7759954CBA0
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01161750 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 241 1161750-11617dd VirtualProtectEx 244 11617e6-1161816 241->244 245 11617df-11617e5 241->245 245->244
                                                                                                                                        APIs
                                                                                                                                        • VirtualProtectEx.KERNELBASE(?,?,?,00000000,?), ref: 011617D0
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729355752.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: ProtectVirtual
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 544645111-0
                                                                                                                                        • Opcode ID: 2d179a2a0700c7cd0bc9a3d88faa33911088fd96e4bf5f590692b16f18b89911
                                                                                                                                        • Instruction ID: 9c8663e1b7aaf29ca1cf37b4577b993d0b62555c78354bbabfad96f1061655b1
                                                                                                                                        • Opcode Fuzzy Hash: 2d179a2a0700c7cd0bc9a3d88faa33911088fd96e4bf5f590692b16f18b89911
                                                                                                                                        • Instruction Fuzzy Hash: 742139B1C002599FCB10DFAAC980AEEFBF5FF48320F50842AE559A7250C7399954CFA5
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01161828 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 249 1161828-11618a2 CreateThread 252 11618a4-11618aa 249->252 253 11618ab-11618d0 249->253 252->253
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(?,?), ref: 01161895
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729355752.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                        • Opcode ID: d3585e45b979766afd209714dfde4bfb316d7fb10ab16617e7664f86fba0edb5
                                                                                                                                        • Instruction ID: 822baee8065936de76d4040c8015ddf170e03d6c8d1d442f2e309e7ec22d8ae4
                                                                                                                                        • Opcode Fuzzy Hash: d3585e45b979766afd209714dfde4bfb316d7fb10ab16617e7664f86fba0edb5
                                                                                                                                        • Instruction Fuzzy Hash: F31149B19002488FDB14DFA9C4457EEFFF5AB88324F20882AD459B7250CB359944CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 01161830 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 257 1161830-11618a2 CreateThread 260 11618a4-11618aa 257->260 261 11618ab-11618d0 257->261 260->261
                                                                                                                                        APIs
                                                                                                                                        • CreateThread.KERNELBASE(?,?), ref: 01161895
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000000.00000002.1729355752.0000000001160000.00000040.00000800.00020000.00000000.sdmp, Offset: 01160000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_0_2_1160000_file.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: CreateThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2422867632-0
                                                                                                                                        • Opcode ID: ebd167dbda92ea5c39b202f0e73fa4db35ef2a57aa969fa8a5bc0ad7249be5f1
                                                                                                                                        • Instruction ID: 0f2297424efdbe7b700cb952659a20a4f08f39a695774b155600ef05898bda60
                                                                                                                                        • Opcode Fuzzy Hash: ebd167dbda92ea5c39b202f0e73fa4db35ef2a57aa969fa8a5bc0ad7249be5f1
                                                                                                                                        • Instruction Fuzzy Hash: 3F1149B19002488FCB14DFAAC4447DEFFF9AB88324F108829D455A7250C735A544CF94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Execution Graph

                                                                                                                                        Execution Coverage:7.9%
                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                        Signature Coverage:0%
                                                                                                                                        Total number of Nodes:53
                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                        execution_graph 15018 26c4668 15019 26c4684 15018->15019 15020 26c4696 15019->15020 15022 26c47a0 15019->15022 15023 26c47c5 15022->15023 15027 26c48b0 15023->15027 15031 26c48a1 15023->15031 15028 26c48d7 15027->15028 15030 26c49b4 15028->15030 15035 26c4248 15028->15035 15033 26c48b0 15031->15033 15032 26c49b4 15033->15032 15034 26c4248 CreateActCtxA 15033->15034 15034->15032 15036 26c5940 CreateActCtxA 15035->15036 15038 26c5a03 15036->15038 15039 26cad38 15040 26cad3a 15039->15040 15044 26cae20 15040->15044 15052 26cae30 15040->15052 15041 26cad47 15045 26cae30 15044->15045 15046 26cae64 15045->15046 15060 26cb0c8 15045->15060 15064 26cb0b8 15045->15064 15046->15041 15047 26cb068 GetModuleHandleW 15049 26cb095 15047->15049 15048 26cae5c 15048->15046 15048->15047 15049->15041 15053 26cae32 15052->15053 15054 26cae64 15053->15054 15058 26cb0c8 LoadLibraryExW 15053->15058 15059 26cb0b8 LoadLibraryExW 15053->15059 15054->15041 15055 26cae5c 15055->15054 15056 26cb068 GetModuleHandleW 15055->15056 15057 26cb095 15056->15057 15057->15041 15058->15055 15059->15055 15061 26cb0dc 15060->15061 15063 26cb101 15061->15063 15068 26ca870 15061->15068 15063->15048 15065 26cb0dc 15064->15065 15066 26ca870 LoadLibraryExW 15065->15066 15067 26cb101 15065->15067 15066->15067 15067->15048 15069 26cb2a8 LoadLibraryExW 15068->15069 15071 26cb321 15069->15071 15071->15063 15072 26cd0b8 15073 26cd0fe GetCurrentProcess 15072->15073 15075 26cd149 15073->15075 15076 26cd150 GetCurrentThread 15073->15076 15075->15076 15077 26cd18d GetCurrentProcess 15076->15077 15078 26cd186 15076->15078 15079 26cd1c3 15077->15079 15078->15077 15080 26cd1eb GetCurrentThreadId 15079->15080 15081 26cd21c 15080->15081 15082 26cd300 DuplicateHandle 15083 26cd396 15082->15083

                                                                                                                                        Executed Functions

                                                                                                                                        Function 026CD0A8 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 294 26cd0a8-26cd147 GetCurrentProcess 298 26cd149-26cd14f 294->298 299 26cd150-26cd184 GetCurrentThread 294->299 298->299 300 26cd18d-26cd1c1 GetCurrentProcess 299->300 301 26cd186-26cd18c 299->301 303 26cd1ca-26cd1e5 call 26cd289 300->303 304 26cd1c3-26cd1c9 300->304 301->300 306 26cd1eb-26cd21a GetCurrentThreadId 303->306 304->303 308 26cd21c-26cd222 306->308 309 26cd223-26cd285 306->309 308->309
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 026CD136
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 026CD173
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 026CD1B0
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 026CD209
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                        • Opcode ID: 443d8b255ebb798c01662dbf1e02570a526d906554fae8b8a2fb93f3c9efeaa3
                                                                                                                                        • Instruction ID: 73d50deafaa6282461928b4a62e6bd38c74e7651b74f73caf9482bed942685fc
                                                                                                                                        • Opcode Fuzzy Hash: 443d8b255ebb798c01662dbf1e02570a526d906554fae8b8a2fb93f3c9efeaa3
                                                                                                                                        • Instruction Fuzzy Hash: 3A5148B0901249CFDB14DFA9D548BAEBBF1EB48314F20846DE459A73A0DB349984CF65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 316 26cd0b8-26cd147 GetCurrentProcess 320 26cd149-26cd14f 316->320 321 26cd150-26cd184 GetCurrentThread 316->321 320->321 322 26cd18d-26cd1c1 GetCurrentProcess 321->322 323 26cd186-26cd18c 321->323 325 26cd1ca-26cd1e5 call 26cd289 322->325 326 26cd1c3-26cd1c9 322->326 323->322 328 26cd1eb-26cd21a GetCurrentThreadId 325->328 326->325 330 26cd21c-26cd222 328->330 331 26cd223-26cd285 328->331 330->331
                                                                                                                                        APIs
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 026CD136
                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 026CD173
                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 026CD1B0
                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 026CD209
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                        • Opcode ID: 76cc28ea06457ae0d06ad2250217b7d02c84376ed87474db65b90f7bb4ae5732
                                                                                                                                        • Instruction ID: 2708737a52d46b71241c9dcdd144c66955e0acdb9a65d65fbf6c18f19b83b2b2
                                                                                                                                        • Opcode Fuzzy Hash: 76cc28ea06457ae0d06ad2250217b7d02c84376ed87474db65b90f7bb4ae5732
                                                                                                                                        • Instruction Fuzzy Hash: DC5137B0901249CFDB14DFAAD548BAEBBF1EB48314F20846DE419A73A0D774A984CF65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CAE30 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 360 26cae30-26cae3f 362 26cae6b-26cae6f 360->362 363 26cae41-26cae4e call 26c9838 360->363 364 26cae71-26cae7b 362->364 365 26cae83-26caec4 362->365 370 26cae64 363->370 371 26cae50 363->371 364->365 372 26caec6-26caece 365->372 373 26caed1-26caedf 365->373 370->362 420 26cae56 call 26cb0c8 371->420 421 26cae56 call 26cb0b8 371->421 372->373 375 26caee1-26caee6 373->375 376 26caf03-26caf05 373->376 374 26cae5c-26cae5e 374->370 377 26cafa0-26cafb7 374->377 378 26caee8-26caeef call 26ca814 375->378 379 26caef1 375->379 380 26caf08-26caf0f 376->380 392 26cafb9-26cb018 377->392 383 26caef3-26caf01 378->383 379->383 381 26caf1c-26caf23 380->381 382 26caf11-26caf19 380->382 387 26caf25-26caf2d 381->387 388 26caf30-26caf39 call 26ca824 381->388 382->381 383->380 387->388 393 26caf3b-26caf43 388->393 394 26caf46-26caf4b 388->394 412 26cb01a-26cb01c 392->412 393->394 395 26caf4d-26caf54 394->395 396 26caf69-26caf76 394->396 395->396 398 26caf56-26caf66 call 26ca834 call 26ca844 395->398 401 26caf78-26caf96 396->401 402 26caf99-26caf9f 396->402 398->396 401->402 413 26cb01e-26cb046 412->413 414 26cb048-26cb060 412->414 413->414 415 26cb068-26cb093 GetModuleHandleW 414->415 416 26cb062-26cb065 414->416 417 26cb09c-26cb0b0 415->417 418 26cb095-26cb09b 415->418 416->415 418->417 420->374 421->374
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 026CB086
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: dbbb721d4615c23f98b7ffaad31564c15dab9d353c4d7b8b8b6d79c6d04da243
                                                                                                                                        • Instruction ID: f341ed1ffacf4a29a9f9e285e410bfce30d5a11e2af25ff9ac69482bd713408c
                                                                                                                                        • Opcode Fuzzy Hash: dbbb721d4615c23f98b7ffaad31564c15dab9d353c4d7b8b8b6d79c6d04da243
                                                                                                                                        • Instruction Fuzzy Hash: 348124B0A00B498FDB24EF69D14176ABBF1FB88304F10892DD09697B50D775E946CB94
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026C5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 422 26c5935-26c593c 423 26c5944-26c5a01 CreateActCtxA 422->423 425 26c5a0a-26c5a64 423->425 426 26c5a03-26c5a09 423->426 433 26c5a66-26c5a69 425->433 434 26c5a73-26c5a77 425->434 426->425 433->434 435 26c5a88 434->435 436 26c5a79-26c5a85 434->436 438 26c5a89 435->438 436->435 438->438
                                                                                                                                        APIs
                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 026C59F1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                        • Opcode ID: bbcddce70cec3cc45fa73aee04fafd33d5426d38813f98dd2f30cf14433d53a8
                                                                                                                                        • Instruction ID: 31754b3ab48b6ff42c7d84485a0e313fda44f3d66612e8485f36ae5935f2be32
                                                                                                                                        • Opcode Fuzzy Hash: bbcddce70cec3cc45fa73aee04fafd33d5426d38813f98dd2f30cf14433d53a8
                                                                                                                                        • Instruction Fuzzy Hash: 9B41D1B0D00619CFDB24DFAAC98479DBBB5FF44304F24816AD409BB254DB75698ACF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 439 26c4248-26c5a01 CreateActCtxA 442 26c5a0a-26c5a64 439->442 443 26c5a03-26c5a09 439->443 450 26c5a66-26c5a69 442->450 451 26c5a73-26c5a77 442->451 443->442 450->451 452 26c5a88 451->452 453 26c5a79-26c5a85 451->453 455 26c5a89 452->455 453->452 455->455
                                                                                                                                        APIs
                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 026C59F1
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: Create
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                        • Opcode ID: 26d5da7e8486438eb082eb78377c8fd1e1201814ba77d9c1bf1f695677f77aea
                                                                                                                                        • Instruction ID: 7c124859e0d17d50ce2562b98d248f0dd03b7ecd8099afed26dc75d21643648d
                                                                                                                                        • Opcode Fuzzy Hash: 26d5da7e8486438eb082eb78377c8fd1e1201814ba77d9c1bf1f695677f77aea
                                                                                                                                        • Instruction Fuzzy Hash: C241E2B0C00619CBDB24DFAAC884B9DBBB5FF44304F64809AD409BB254DB756989CF90
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 456 26cd300-26cd394 DuplicateHandle 457 26cd39d-26cd3ba 456->457 458 26cd396-26cd39c 456->458 458->457
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD387
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: f8c14a904f7284438da3b92478791a80f5ddbc645fba978d896dd4092bfd206d
                                                                                                                                        • Instruction ID: cfdca4a3051cb4242257a6d395a00c162a2d0ba21879fca882c3c91a4f33f8f1
                                                                                                                                        • Opcode Fuzzy Hash: f8c14a904f7284438da3b92478791a80f5ddbc645fba978d896dd4092bfd206d
                                                                                                                                        • Instruction Fuzzy Hash: 3021E4B5D002489FDB10CF9AD984ADEFBF4EB48320F14841AE958A3310D374A954CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CD2F9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 461 26cd2f9-26cd394 DuplicateHandle 462 26cd39d-26cd3ba 461->462 463 26cd396-26cd39c 461->463 463->462
                                                                                                                                        APIs
                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026CD387
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                        • Opcode ID: 59b8e5f4cb4755bdbbed9639319ecf20fedb0f909646f2b6d567f107362f0ee2
                                                                                                                                        • Instruction ID: 81999f91929d009656f471cb35db0a62fa244c984259799e4348e91ba73ff3db
                                                                                                                                        • Opcode Fuzzy Hash: 59b8e5f4cb4755bdbbed9639319ecf20fedb0f909646f2b6d567f107362f0ee2
                                                                                                                                        • Instruction Fuzzy Hash: 8E21E2B5D00209DFDB10CFA9D584AEEBBF5EB48324F24842AE958A3350C774A954CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 466 26ca870-26cb2e8 468 26cb2ea-26cb2ed 466->468 469 26cb2f0-26cb31f LoadLibraryExW 466->469 468->469 470 26cb328-26cb345 469->470 471 26cb321-26cb327 469->471 471->470
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026CB101,00000800,00000000,00000000), ref: 026CB312
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: bd83d5ba21e09702690ca042e9bf679f9b425828399483dc90431d0ffb2dea24
                                                                                                                                        • Instruction ID: a487036a5d1ea8345c2a05fd5902908dd1096e26b9e7c3a8ac1c6467ad71cf2d
                                                                                                                                        • Opcode Fuzzy Hash: bd83d5ba21e09702690ca042e9bf679f9b425828399483dc90431d0ffb2dea24
                                                                                                                                        • Instruction Fuzzy Hash: 151133B2D003488FDB10DF9AC444AAEFBF4EB48314F10842ED819A7300C374A545CFA4
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 474 26cb2a0-26cb2e8 475 26cb2ea-26cb2ed 474->475 476 26cb2f0-26cb31f LoadLibraryExW 474->476 475->476 477 26cb328-26cb345 476->477 478 26cb321-26cb327 476->478 478->477
                                                                                                                                        APIs
                                                                                                                                        • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026CB101,00000800,00000000,00000000), ref: 026CB312
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: LibraryLoad
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 1029625771-0
                                                                                                                                        • Opcode ID: 970c5a1600c1f509e7df044c203e1d5d9a44449e4772c5684ec42d5768143f74
                                                                                                                                        • Instruction ID: ca944cebd93a7bd11158277f3b26dd5e8913e7258574c8cec4574ec580c0c8b3
                                                                                                                                        • Opcode Fuzzy Hash: 970c5a1600c1f509e7df044c203e1d5d9a44449e4772c5684ec42d5768143f74
                                                                                                                                        • Instruction Fuzzy Hash: 0B1100B69002488FDB10DF9AC544AEEFBF4EB88324F14846ED969A7210C375A545CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 026CB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                        Download Yara Rule

                                                                                                                                        Control-flow Graph

                                                                                                                                        • Executed
                                                                                                                                        • Not Executed
                                                                                                                                        control_flow_graph 481 26cb020-26cb060 482 26cb068-26cb093 GetModuleHandleW 481->482 483 26cb062-26cb065 481->483 484 26cb09c-26cb0b0 482->484 485 26cb095-26cb09b 482->485 483->482 485->484
                                                                                                                                        APIs
                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 026CB086
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762893162.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_26c0000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID: HandleModule
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                        • Opcode ID: 676ba519aa852f504819ca143efdb584962c749c9ca9c04573ecd074be5dcdd4
                                                                                                                                        • Instruction ID: fd8dbb73907c8e277995449b0b7f596b18e1a55df611f93a4b25774e6519e27e
                                                                                                                                        • Opcode Fuzzy Hash: 676ba519aa852f504819ca143efdb584962c749c9ca9c04573ecd074be5dcdd4
                                                                                                                                        • Instruction Fuzzy Hash: D61102B5D003498FCB20DF9AC544ADEFBF4EB48224F10845AD468B7210C375A545CFA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 900255dd8d3a233b04dacfa495426c65b20f48cd73289034e40d7aff95e0b4e2
                                                                                                                                        • Instruction ID: 76026626c5f8ef1b088e7fbdb81fdfcf6db922175e9ebe67229057b07fc15f9b
                                                                                                                                        • Opcode Fuzzy Hash: 900255dd8d3a233b04dacfa495426c65b20f48cd73289034e40d7aff95e0b4e2
                                                                                                                                        • Instruction Fuzzy Hash: 6E210271108201DFCB09DF04C9C0F26BB66EB94314F24C17DDA094B216C336E846CAB1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 088ac3c292f9dd491f455a9bd8593a081dc7e726c4ecd96a222d2295a295f723
                                                                                                                                        • Instruction ID: e75817cdc4d18c5d96cba223813e7cfa5df109b5c35dd30795f408f5bd4a8d6f
                                                                                                                                        • Opcode Fuzzy Hash: 088ac3c292f9dd491f455a9bd8593a081dc7e726c4ecd96a222d2295a295f723
                                                                                                                                        • Instruction Fuzzy Hash: C7210D72504241DFCB05DF14D980F2ABF62EB98318F24C67DE9490B256C336D846CAB2
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 025FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762651541.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_25fd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 300004906962dec9d7908ffb14a3638521987325571f59570578dd00188b96a0
                                                                                                                                        • Instruction ID: 77ef14a4557ef4e643c6d42993196c31f93c97a5c1b429224c8b9e58052ca61c
                                                                                                                                        • Opcode Fuzzy Hash: 300004906962dec9d7908ffb14a3638521987325571f59570578dd00188b96a0
                                                                                                                                        • Instruction Fuzzy Hash: 5A212271604200DFDB54DF14D984B26BFB9FB84314F20C969DA0A4B656D33AD447CA65
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 025FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762651541.00000000025FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 025FD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_25fd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 11f70c9da5a2feadbcada9edefc6b64c400e92add220017f99290f193a34f4d0
                                                                                                                                        • Instruction ID: 3cb5df4ae2ae7d751aa48fa86d7f249da26896da802250b23e53f58cfce92378
                                                                                                                                        • Opcode Fuzzy Hash: 11f70c9da5a2feadbcada9edefc6b64c400e92add220017f99290f193a34f4d0
                                                                                                                                        • Instruction Fuzzy Hash: 75219F755093C08FCB02CF24D994715BF71FB46214F28C5EAD9898F667C33A980ACB62
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                        • Instruction ID: ede2a7555aacae548429c03b36c87095daf4b2b36b6ade468eacc73b21aaf1dd
                                                                                                                                        • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                        • Instruction Fuzzy Hash: FE110372404280DFCB06CF00D9C4B16BF72FB94324F28C6ADD9094B616C33AE85ACBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                        • Instruction ID: 130411dbb0dcc0e97fdad3f6578b8b5dfa636323aecc9fc67cc65958dc272d8f
                                                                                                                                        • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
                                                                                                                                        • Instruction Fuzzy Hash: 6E11D376504280CFCB16CF14D9C4B16BF72FB94318F28C6ADD8494B656C336D85ACBA1
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD99D Relevance: .0, Instructions: 45COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 6987a539e640c510a16fd664596c787b08e5384de8facd9b03505c7af8807b0a
                                                                                                                                        • Instruction ID: d572fdd4ce1ac5f22e41dc0eca9d8a3b6a2a9b61d31b5914146e2a6c95b101fb
                                                                                                                                        • Opcode Fuzzy Hash: 6987a539e640c510a16fd664596c787b08e5384de8facd9b03505c7af8807b0a
                                                                                                                                        • Instruction Fuzzy Hash: 580184710083419AEB108A1ACD84B67BF99DF51365F18C57DED494B246CA79D840CA71
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%

                                                                                                                                        Function 00DCD99C Relevance: .0, Instructions: 36COMMON
                                                                                                                                        Download Yara Rule
                                                                                                                                        Memory Dump Source
                                                                                                                                        • Source File: 00000002.00000002.1762507103.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                        • Snapshot File: hcaresult_2_2_dcd000_RegAsm.jbxd
                                                                                                                                        Similarity
                                                                                                                                        • API ID:
                                                                                                                                        • String ID:
                                                                                                                                        • API String ID:
                                                                                                                                        • Opcode ID: 228fb48a23f4c7d88210e73ab34ed30d1b54288ef1f469458f85095d12afee3a
                                                                                                                                        • Instruction ID: af4b81e625594c96186007f9fc4639c430458240fcfcb7c79619b7f63e41f11b
                                                                                                                                        • Opcode Fuzzy Hash: 228fb48a23f4c7d88210e73ab34ed30d1b54288ef1f469458f85095d12afee3a
                                                                                                                                        • Instruction Fuzzy Hash: E7F0C271408380AEEB108E16CCC4B66FFA8EB51764F18C45AED484B286C279AC40CA70
                                                                                                                                        Uniqueness

                                                                                                                                        Uniqueness Score: -1.00%