Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EYve4TeHvZ.exe

Overview

General Information

Sample name:EYve4TeHvZ.exe
renamed because original name is a hash value
Original sample name:d89407ff1c7e68212ea29e5d7da5fba9.exe
Analysis ID:1636804
MD5:d89407ff1c7e68212ea29e5d7da5fba9
SHA1:8def9ed32436c34b27fcee48b9b10e4f4b519f74
SHA256:af621a0196ca315b44e889e295e0b227a1ed3afc3e2f1b266875436874138fa3
Tags:exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EYve4TeHvZ.exe (PID: 7736 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: D89407FF1C7E68212EA29E5D7DA5FBA9)
    • RegSvcs.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • EYve4TeHvZ.exe (PID: 7760 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: D89407FF1C7E68212EA29E5D7DA5FBA9)
      • RegSvcs.exe (PID: 7808 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • EYve4TeHvZ.exe (PID: 7816 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: D89407FF1C7E68212EA29E5D7DA5FBA9)
        • RegSvcs.exe (PID: 7832 cmdline: "C:\Users\user\Desktop\EYve4TeHvZ.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.144.212.192:1912"], "Bot Id": "GRACELOVELOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000002.00000002.1187752931.0000000003880000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 70 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          00000005.00000002.1318277497.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 70 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.EYve4TeHvZ.exe.3e40000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 70 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            5.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
            • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
            • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
            • 0x700:$s3: 83 EC 38 53 B0 FD 88 44 24 2B 88 44 24 2F B0 70 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
            • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
            • 0x1e9d0:$s5: delete[]
            • 0x1de88:$s6: constructor or from DllMain.
            5.2.RegSvcs.exe.3049886.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              5.2.RegSvcs.exe.3049886.1.raw.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x2c6a3:$gen01: ChromeGetRoamingName
              • 0x2c6b8:$gen02: ChromeGetLocalName
              • 0x2aa49:$gen03: get_UserDomainName
              • 0x2c908:$gen04: get_encrypted_key
              • 0x2aed0:$gen05: browserPaths
              • 0x2c1dc:$gen06: GetBrowsers
              • 0x2c2a0:$gen07: get_InstalledInputLanguages
              • 0x2c57f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x416aa:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x31ab2:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x31b50:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x3217c:$spe9: *wallet*
              • 0x3013a:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x2fd10:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x2ff25:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x2f894:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x2fcbe:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x2f493:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x2f418:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x2f1da:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              5.2.RegSvcs.exe.3049886.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 20 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T06:17:18.061900+010020432341A Network Trojan was detected45.144.212.1921912192.168.2.449712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T06:17:17.879285+010020432311A Network Trojan was detected192.168.2.44971245.144.212.1921912TCP
                2025-03-13T06:17:23.350751+010020432311A Network Trojan was detected192.168.2.44971245.144.212.1921912TCP
                2025-03-13T06:17:25.545844+010020432311A Network Trojan was detected192.168.2.44971245.144.212.1921912TCP
                2025-03-13T06:17:25.782649+010020432311A Network Trojan was detected192.168.2.44971245.144.212.1921912TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T06:17:23.543075+010020460561A Network Trojan was detected45.144.212.1921912192.168.2.449712TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-03-13T06:17:17.879285+010020460451A Network Trojan was detected192.168.2.44971245.144.212.1921912TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: EYve4TeHvZ.exeAvira: detected
                Found malware configuration
                Source: 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["45.144.212.192:1912"], "Bot Id": "GRACELOVELOG", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                Multi AV Scanner detection for submitted file
                Source: EYve4TeHvZ.exeVirustotal: Detection: 54%Perma Link
                Source: EYve4TeHvZ.exeReversingLabs: Detection: 71%
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: EYve4TeHvZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1319539106.00000000030A1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: EYve4TeHvZ.exe, 00000000.00000003.1169552575.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000000.00000003.1170034021.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185930899.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185751372.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1197356727.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1198075652.00000000040C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: EYve4TeHvZ.exe, 00000000.00000003.1169552575.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000000.00000003.1170034021.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185930899.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185751372.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1197356727.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1198075652.00000000040C0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B7445A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7C6D1 FindFirstFileW,FindClose,0_2_00B7C6D1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B7C75C
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B7EF95
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B7F0F2
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B7F3F3
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B737EF
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B73B12
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B7BCBC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_068D267C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_068D1F68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h5_2_068ECDC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 076FB5DAh5_2_076FB529
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 076FB5DAh5_2_076FB530

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49712 -> 45.144.212.192:1912
                Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49712 -> 45.144.212.192:1912
                Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 45.144.212.192:1912 -> 192.168.2.4:49712
                Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.144.212.192:1912 -> 192.168.2.4:49712
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 45.144.212.192:1912
                Source: global trafficTCP traffic: 192.168.2.4:49712 -> 45.144.212.192:1912
                Source: Joe Sandbox ViewASN Name: HPC-MVM-ASHU HPC-MVM-ASHU
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: unknownTCP traffic detected without corresponding DNS query: 45.144.212.192
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00B822EE
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmH
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000036B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000036B2000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000036B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                Source: RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1319539106.0000000003008000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B84164
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00B84164
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00B83F66
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00B7001C
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00B9CABC

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.EYve4TeHvZ.exe.3e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.3049886.1.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 2.2.EYve4TeHvZ.exe.3880000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.5bb0000.5.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.57f0ee8.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.EYve4TeHvZ.exe.3dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.304899e.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 5.2.RegSvcs.exe.304899e.2.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 00000002.00000002.1187752931.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000005.00000002.1318277497.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Source: 00000000.00000002.1171362184.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000004.00000002.1200576416.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: This is a third-party compiled AutoIt script.0_2_00B13B3A
                Source: EYve4TeHvZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: EYve4TeHvZ.exe, 00000000.00000002.1170737258.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_42192206-a
                Source: EYve4TeHvZ.exe, 00000000.00000002.1170737258.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c7e9a417-f
                Source: EYve4TeHvZ.exe, 00000002.00000000.1170329729.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_22d844c8-4
                Source: EYve4TeHvZ.exe, 00000002.00000000.1170329729.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_b6979cc1-6
                Source: EYve4TeHvZ.exe, 00000004.00000000.1186533768.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bd0cf1f2-7
                Source: EYve4TeHvZ.exe, 00000004.00000000.1186533768.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_31165787-3
                Source: EYve4TeHvZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c42b5786-0
                Source: EYve4TeHvZ.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e1c0392a-a
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00B7A1EF
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00B68310
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00B751BD
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3D9750_2_00B3D975
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B321C50_2_00B321C5
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B462D20_2_00B462D2
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B903DA0_2_00B903DA
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B4242E0_2_00B4242E
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B325FA0_2_00B325FA
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B1E6A00_2_00B1E6A0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B266E10_2_00B266E1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B6E6160_2_00B6E616
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B4878F0_2_00B4878F
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B788890_2_00B78889
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B288080_2_00B28808
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B908570_2_00B90857
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B468440_2_00B46844
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3CB210_2_00B3CB21
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B46DB60_2_00B46DB6
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B26F9E0_2_00B26F9E
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B230300_2_00B23030
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B331870_2_00B33187
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3F1D90_2_00B3F1D9
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B112870_2_00B11287
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B314840_2_00B31484
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B255200_2_00B25520
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B376960_2_00B37696
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B257600_2_00B25760
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B319780_2_00B31978
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B1FCE00_2_00B1FCE0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3BDA60_2_00B3BDA6
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B31D900_2_00B31D90
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B97DDB0_2_00B97DDB
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B23FE00_2_00B23FE0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B1DF000_2_00B1DF00
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_014435B00_2_014435B0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 2_2_010F26282_2_010F2628
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 4_2_0153FC6D4_2_0153FC6D
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 4_2_015436084_2_01543608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040DC115_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00407C3F5_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00418CCC5_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00406CA05_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004028B05_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A4BE5_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004182445_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004016505_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F205_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004193C45_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004187885_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F895_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402B905_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004073A05_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02FB77405_2_02FB7740
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02FB77335_2_02FB7733
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06889C485_2_06889C48
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0688BD905_2_0688BD90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06887BE05_2_06887BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0688B8105_2_0688B810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0688C0C05_2_0688C0C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06886EA85_2_06886EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D56085_2_068D5608
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068DF4605_2_068DF460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D08485_2_068D0848
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068DD9E85_2_068DD9E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068E00335_2_068E0033
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068E00405_2_068E0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068E55655_2_068E5565
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076F8F205_2_076F8F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FDFA85_2_076FDFA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FE4285_2_076FE428
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FF3085_2_076FF308
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FC3E85_2_076FC3E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FEBC05_2_076FEBC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076F12E85_2_076F12E8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FAA905_2_076FAA90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FD1795_2_076FD179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FD9535_2_076FD953
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076F58D85_2_076F58D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076F942B5_2_076F942B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FC3D85_2_076FC3D8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FEBB15_2_076FEBB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FAA805_2_076FAA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076F51005_2_076F5100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: String function: 00B17DE1 appears 36 times
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: String function: 00B38900 appears 42 times
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: String function: 00B30AE3 appears 70 times
                Source: EYve4TeHvZ.exe, 00000000.00000003.1170034021.000000000410D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000000.00000002.1171362184.0000000003E06000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000000.00000003.1169919643.0000000003F63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000002.00000003.1184843198.0000000003A13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000002.00000002.1187752931.00000000038B6000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000002.00000003.1185930899.0000000003BBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000004.00000003.1197887459.0000000004043000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000004.00000003.1196971848.000000000417D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exe, 00000004.00000002.1200576416.0000000003E76000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs EYve4TeHvZ.exe
                Source: EYve4TeHvZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 4.2.EYve4TeHvZ.exe.3e40000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.3049886.1.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 2.2.EYve4TeHvZ.exe.3880000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.57f0000.4.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.5bb0000.5.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.57f0000.4.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.57f0ee8.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 0.2.EYve4TeHvZ.exe.3dd0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.304899e.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.304899e.2.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 00000002.00000002.1187752931.0000000003880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000005.00000002.1318277497.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 00000000.00000002.1171362184.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000004.00000002.1200576416.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/5@0/1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7A06A GetLastError,FormatMessageW,0_2_00B7A06A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B681CB AdjustTokenPrivileges,CloseHandle,0_2_00B681CB
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00B687E1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00B7B3FB
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00B8EE0D
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00B883BB
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B14E89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Local\SystemCacheJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeFile created: C:\Users\user\AppData\Local\Temp\autC8A4.tmpJump to behavior
                Source: EYve4TeHvZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RegSvcs.exe, 00000005.00000002.1320108351.0000000003A62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.0000000003A3D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.0000000003A54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000039BB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000039CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: EYve4TeHvZ.exeVirustotal: Detection: 54%
                Source: EYve4TeHvZ.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\EYve4TeHvZ.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Users\user\Desktop\EYve4TeHvZ.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Users\user\Desktop\EYve4TeHvZ.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Users\user\Desktop\EYve4TeHvZ.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Users\user\Desktop\EYve4TeHvZ.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: EYve4TeHvZ.exeStatic file information: File size 1247232 > 1048576
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: EYve4TeHvZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1319539106.00000000030A1000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: EYve4TeHvZ.exe, 00000000.00000003.1169552575.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000000.00000003.1170034021.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185930899.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185751372.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1197356727.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1198075652.00000000040C0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: EYve4TeHvZ.exe, 00000000.00000003.1169552575.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000000.00000003.1170034021.0000000003FE0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185930899.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000002.00000003.1185751372.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1197356727.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp, EYve4TeHvZ.exe, 00000004.00000003.1198075652.00000000040C0000.00000004.00001000.00020000.00000000.sdmp
                Source: EYve4TeHvZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: EYve4TeHvZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: EYve4TeHvZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: EYve4TeHvZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: EYve4TeHvZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                .NET source code contains potential unpacker
                Source: 5.2.RegSvcs.exe.57f0000.4.raw.unpack, _.cs.Net Code: ___ System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B14B37 LoadLibraryA,GetProcAddress,0_2_00B14B37
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B38945 push ecx; ret 0_2_00B38958
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00423149 push eax; ret 5_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004231C8 push eax; ret 5_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E21D push ecx; ret 5_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068846D0 push es; ret 5_2_068846EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06884650 push es; ret 5_2_0688466C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_06889431 push edx; retf 5_2_068893C9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068862DF push es; ret 5_2_068862E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0688CD00 push es; ret 5_2_0688CD10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D96C2 push es; retn 0008h5_2_068D96D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D2431 push es; ret 5_2_068D2440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D4211 push es; retn 0004h5_2_068D4220
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D9810 push es; retn 0004h5_2_068D9820
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D9830 push es; retn 0004h5_2_068D9840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_068D985C push es; retn 0004h5_2_068D9840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_076FB241 push edi; retf 006Bh5_2_076FB297
                Source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LreS1JrVDD5YW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LreS1JrVDD5YW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'LreS1JrVDD5YW', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B148D7
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00B95376
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B33187
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeAPI/Special instruction interceptor: Address: 14431D4
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeAPI/Special instruction interceptor: Address: 10F224C
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeAPI/Special instruction interceptor: Address: 154322C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 361Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2202Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105786
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeAPI coverage: 4.4 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00B7445A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7C6D1 FindFirstFileW,FindClose,0_2_00B7C6D1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00B7C75C
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B7EF95
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00B7F0F2
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B7F3F3
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B737EF
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00B73B12
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00B7BCBC
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B149A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000005.00000002.1327409402.0000000005B0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\Um
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02FB0890 LdrInitializeThunk,5_2_02FB0890
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B83F09 BlockInput,0_2_00B83F09
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B13B3A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B45A7C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B14B37 LoadLibraryA,GetProcAddress,0_2_00B14B37
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_01443440 mov eax, dword ptr fs:[00000030h]0_2_01443440
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_014434A0 mov eax, dword ptr fs:[00000030h]0_2_014434A0
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_01441E00 mov eax, dword ptr fs:[00000030h]0_2_01441E00
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 2_2_010F2518 mov eax, dword ptr fs:[00000030h]2_2_010F2518
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 2_2_010F24B8 mov eax, dword ptr fs:[00000030h]2_2_010F24B8
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 2_2_010F0E78 mov eax, dword ptr fs:[00000030h]2_2_010F0E78
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 4_2_01541E58 mov eax, dword ptr fs:[00000030h]4_2_01541E58
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 4_2_015434F8 mov eax, dword ptr fs:[00000030h]4_2_015434F8
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 4_2_01543498 mov eax, dword ptr fs:[00000030h]4_2_01543498
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00B680A9
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3A124 SetUnhandledExceptionFilter,0_2_00B3A124
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B3A155
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,5_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1157008Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B687B1 LogonUserW,0_2_00B687B1
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B13B3A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B148D7
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B74C27 mouse_event,0_2_00B74C27
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\EYve4TeHvZ.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00B67CAF
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00B6874B
                Source: EYve4TeHvZ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: EYve4TeHvZ.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B3862B cpuid 0_2_00B3862B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,5_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B44E87
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B51E06 GetUserNameW,0_2_00B51E06
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B43F3A
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B149A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: RegSvcs.exe, 00000005.00000002.1331812398.000000000828E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                Stealing of Sensitive Information

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3049886.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5bb0000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.304899e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.304899e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1319539106.0000000003008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7832, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                Source: RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                Source: RegSvcs.exe, 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_81
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_XP
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_XPe
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_VISTA
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_7
                Source: EYve4TeHvZ.exeBinary or memory string: WIN_8
                Source: EYve4TeHvZ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                Source: Yara matchFile source: 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7832, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected RedLine Stealer
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3049886.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3049886.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5bb0000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5bb0000.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.57f0ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.304899e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.304899e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1319539106.0000000003008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7832, type: MEMORYSTR
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00B86283
                Source: C:\Users\user\Desktop\EYve4TeHvZ.exeCode function: 0_2_00B86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00B86747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		221
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts2
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol3
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		3
                Obfuscated Files or Information                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin Shares21
                Input Capture                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		2
                Software Packing                		NTDS237
                System Information Discovery                		Distributed Component Object Model3
                Clipboard Data                		1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets371
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Masquerading                		Cached Domain Credentials221
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Valid Accounts                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job221
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                Access Token Manipulation                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1636804 Sample: EYve4TeHvZ.exe Startdate: 13/03/2025 Architecture: WINDOWS Score: 100 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 8 other signatures 2->39 8 EYve4TeHvZ.exe 2 2->8         started        process3 signatures4 47 Binary is likely a compiled AutoIt script file 8->47 49 Switches to a custom stack to bypass stack traces 8->49 11 EYve4TeHvZ.exe 1 8->11         started        14 RegSvcs.exe 8->14         started        process5 signatures6 51 Binary is likely a compiled AutoIt script file 11->51 16 EYve4TeHvZ.exe 1 11->16         started        19 RegSvcs.exe 11->19         started        53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->53 55 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 14->55 process7 signatures8 27 Binary is likely a compiled AutoIt script file 16->27 29 Writes to foreign memory regions 16->29 31 Maps a DLL or memory area into another process 16->31 21 RegSvcs.exe 10 4 16->21         started        process9 dnsIp10 25 45.144.212.192, 1912, 49712 HPC-MVM-ASHU Ukraine 21->25 41 Found many strings related to Crypto-Wallets (likely being stolen) 21->41 43 Tries to harvest and steal browser information (history, passwords, etc) 21->43 45 Tries to steal Crypto Currency Wallets 21->45 signatures11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                EYve4TeHvZ.exe54%VirustotalBrowse
                EYve4TeHvZ.exe71%ReversingLabsWin32.Trojan.AutoitInject
                EYve4TeHvZ.exe100%AviraTR/AD.RedLineSteal.xsmpg

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id23ResponseDRegSvcs.exe, 00000005.00000002.1320108351.00000000036B2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id12ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/Entity/Id2ResponseRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id21ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/Entity/Id9RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id8RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id5RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id4RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id7RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id6RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id19ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsatRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://tempuri.org/Entity/Id15ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id6ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://api.ip.sb/ipRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1319539106.0000000003008000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2004/04/scRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id1ResponseDRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id9ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://tempuri.org/Entity/Id20RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id21RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://tempuri.org/Entity/Id22RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Entity/Id23RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id24RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id24ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id1ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trustRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://tempuri.org/Entity/Id10RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id11RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://tempuri.org/Entity/Id12RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id16ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://tempuri.org/Entity/Id13RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id14RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://tempuri.org/Entity/Id15RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://tempuri.org/Entity/Id16RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id17RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id18RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://tempuri.org/Entity/Id5ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://tempuri.org/Entity/Id19RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://tempuri.org/Entity/Id10ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id8ResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://schemas.xmlsoap.org/soap/envelope/RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trustRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id3ResponseDRegSvcs.exe, 00000005.00000002.1320108351.00000000036B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://tempuri.org/Entity/Id23ResponseRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://tempuri.org/DRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/06/addressingexRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoorRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultRegSvcs.exe, 00000005.00000002.1320108351.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/RenewRegSvcs.exe, 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        45.144.212.192
                                                                                                                                                                                                                        		unknownUkraine
                                                                                                                                                                                                                        		47169HPC-MVM-ASHUtrue

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                        Analysis ID:1636804
                                                                                                                                                                                                                        Start date and time:2025-03-13 06:16:13 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 6m 52s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:15
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:EYve4TeHvZ.exe
                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                        Original Sample Name:d89407ff1c7e68212ea29e5d7da5fba9.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@11/5@0/1
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 96%
                                                                                                                                                                                                                        • Number of executed functions: 50
                                                                                                                                                                                                                        • Number of non-executed functions: 278
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 23.60.203.209, 52.149.20.212
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        01:17:23API Interceptor14x Sleep call for process: RegSvcs.exe modified

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        HPC-MVM-ASHURMBUDGSD23ED PO.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                        • 45.144.212.83
                                                                                                                                                                                                                        PO-M4590 LIST ALL.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 45.144.214.104
                                                                                                                                                                                                                        COHC INVOI NO 2500385 .exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 45.144.214.104
                                                                                                                                                                                                                        jklx86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        • 45.131.150.222
                                                                                                                                                                                                                        esFK2gm.exeGet hashmaliciousFallen Miner, XmrigBrowse
                                                                                                                                                                                                                        • 45.144.212.77
                                                                                                                                                                                                                        yjYJ8QncaF.exeGet hashmaliciousFallen Miner, XmrigBrowse
                                                                                                                                                                                                                        • 45.144.212.77
                                                                                                                                                                                                                        cbr.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                        • 45.131.150.227
                                                                                                                                                                                                                        PO#GREEN AURA.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 45.144.214.104
                                                                                                                                                                                                                        pictures and specifications.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 45.144.214.104
                                                                                                                                                                                                                        Bestellbest#U00e4tigung.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                        • 45.144.214.104

                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):3094
                                                                                                                                                                                                                        Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                        MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                                                                                        SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                                                                                        SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                                                                                        SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:high, very likely benign file
                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\autC8A4.tmp

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):343860
                                                                                                                                                                                                                        Entropy (8bit):7.9741965699148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:i6GMXMIuzcCQ1gvEjUrvsUxUgPY8tFpmyxRkaO0pjSGcoTDztdRkUXZ578zY5oF0:pGMbuzcC5qwEUxUf8zpPS90pjqoTXr9Z
                                                                                                                                                                                                                        MD5:DBA9D554429778EAB4B3D6987DF301A5
                                                                                                                                                                                                                        SHA1:0D31965E7FAABD1A4FD07999AC99957A4D8D80BC
                                                                                                                                                                                                                        SHA-256:1E68D3D7C0B8A766A11A8CE596345716A90BE688C1149C9AB9C633EB7870D939
                                                                                                                                                                                                                        SHA-512:E7D4AE0F63B897CD8F8E46299854712937839C47BDA69E77EF86F1938DEF95E9A8C4782E3969BB029736DC37B95E2F4A65C97601450797E38E63E420B85BEE64
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:EA06..t..G.....cB..&..v.E..&.....w.Ti..,..;3p....R.x.%G.F.E=.h?....W.7...UR.U.....EY..m...VEB..er.e.....U..f.<.X@..].l....e....69.~]..S....viZ.w.q..vk...V....f..s....o.M>s.,..s.Mc....G2... .....m...1...{.MhS.L.4.9....M.R....viP........8P......8....P...1.P..30...*.O..f..e.gB..&...>..q..V.7..1bN.....kK...2..>g....}....+.l...i....9...gK...c3..v..K.......8u..Y.P.....2+\..+..*....d...fh...]j.x\~M$.U.*....k......M.~.!.Y.B39.L$...9K..f.Z\.,..Z.`.......Z.@......R'O.S(.....%.....#.D.V........Qf........<.'.......fg..S.XZ]j%..P....*...pz.F....*{P;]....|g .E.....>tM|.....<.UG.6._k.}.;{...ou..>...)s......v......L).<d..t..6....yB.l.....}G.y...t..J).zD.....p.....:.F..I.......3S9.R....2...W.X.......y..*.O......>+b._.\8.....wo.Mt.(..f.JV.I......X..g^o-#.A.sz.Z.?.<......u....X..f...U&4..*.n.S....O.q...,.....6. Cc.0..n4....y.K.[5Z.2.~).n.F....5.......b.....f.......u.UA..&.n..q.1.$.S.p-.HdS....t...O`v(.>..lGlYK..y$...\=6.oJ....l.y.qmv.-....&.....i..r..UjkP....6.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\autCD38.tmp

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):343860
                                                                                                                                                                                                                        Entropy (8bit):7.9741965699148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:i6GMXMIuzcCQ1gvEjUrvsUxUgPY8tFpmyxRkaO0pjSGcoTDztdRkUXZ578zY5oF0:pGMbuzcC5qwEUxUf8zpPS90pjqoTXr9Z
                                                                                                                                                                                                                        MD5:DBA9D554429778EAB4B3D6987DF301A5
                                                                                                                                                                                                                        SHA1:0D31965E7FAABD1A4FD07999AC99957A4D8D80BC
                                                                                                                                                                                                                        SHA-256:1E68D3D7C0B8A766A11A8CE596345716A90BE688C1149C9AB9C633EB7870D939
                                                                                                                                                                                                                        SHA-512:E7D4AE0F63B897CD8F8E46299854712937839C47BDA69E77EF86F1938DEF95E9A8C4782E3969BB029736DC37B95E2F4A65C97601450797E38E63E420B85BEE64
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:EA06..t..G.....cB..&..v.E..&.....w.Ti..,..;3p....R.x.%G.F.E=.h?....W.7...UR.U.....EY..m...VEB..er.e.....U..f.<.X@..].l....e....69.~]..S....viZ.w.q..vk...V....f..s....o.M>s.,..s.Mc....G2... .....m...1...{.MhS.L.4.9....M.R....viP........8P......8....P...1.P..30...*.O..f..e.gB..&...>..q..V.7..1bN.....kK...2..>g....}....+.l...i....9...gK...c3..v..K.......8u..Y.P.....2+\..+..*....d...fh...]j.x\~M$.U.*....k......M.~.!.Y.B39.L$...9K..f.Z\.,..Z.`.......Z.@......R'O.S(.....%.....#.D.V........Qf........<.'.......fg..S.XZ]j%..P....*...pz.F....*{P;]....|g .E.....>tM|.....<.UG.6._k.}.;{...ou..>...)s......v......L).<d..t..6....yB.l.....}G.y...t..J).zD.....p.....:.F..I.......3S9.R....2...W.X.......y..*.O......>+b._.\8.....wo.Mt.(..f.JV.I......X..g^o-#.A.sz.Z.?.<......u....X..f...U&4..*.n.S....O.q...,.....6. Cc.0..n4....y.K.[5Z.2.~).n.F....5.......b.....f.......u.UA..&.n..q.1.$.S.p-.HdS....t...O`v(.>..lGlYK..y$...\=6.oJ....l.y.qmv.-....&.....i..r..UjkP....6.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\autD2E5.tmp

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):343860
                                                                                                                                                                                                                        Entropy (8bit):7.9741965699148
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:i6GMXMIuzcCQ1gvEjUrvsUxUgPY8tFpmyxRkaO0pjSGcoTDztdRkUXZ578zY5oF0:pGMbuzcC5qwEUxUf8zpPS90pjqoTXr9Z
                                                                                                                                                                                                                        MD5:DBA9D554429778EAB4B3D6987DF301A5
                                                                                                                                                                                                                        SHA1:0D31965E7FAABD1A4FD07999AC99957A4D8D80BC
                                                                                                                                                                                                                        SHA-256:1E68D3D7C0B8A766A11A8CE596345716A90BE688C1149C9AB9C633EB7870D939
                                                                                                                                                                                                                        SHA-512:E7D4AE0F63B897CD8F8E46299854712937839C47BDA69E77EF86F1938DEF95E9A8C4782E3969BB029736DC37B95E2F4A65C97601450797E38E63E420B85BEE64
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:EA06..t..G.....cB..&..v.E..&.....w.Ti..,..;3p....R.x.%G.F.E=.h?....W.7...UR.U.....EY..m...VEB..er.e.....U..f.<.X@..].l....e....69.~]..S....viZ.w.q..vk...V....f..s....o.M>s.,..s.Mc....G2... .....m...1...{.MhS.L.4.9....M.R....viP........8P......8....P...1.P..30...*.O..f..e.gB..&...>..q..V.7..1bN.....kK...2..>g....}....+.l...i....9...gK...c3..v..K.......8u..Y.P.....2+\..+..*....d...fh...]j.x\~M$.U.*....k......M.~.!.Y.B39.L$...9K..f.Z\.,..Z.`.......Z.@......R'O.S(.....%.....#.D.V........Qf........<.'.......fg..S.XZ]j%..P....*...pz.F....*{P;]....|g .E.....>tM|.....<.UG.6._k.}.;{...ou..>...)s......v......L).<d..t..6....yB.l.....}G.y...t..J).zD.....p.....:.F..I.......3S9.R....2...W.X.......y..*.O......>+b._.\8.....wo.Mt.(..f.JV.I......X..g^o-#.A.sz.Z.?.<......u....X..f...U&4..*.n.S....O.q...,.....6. Cc.0..n4....y.K.[5Z.2.~).n.F....5.......b.....f.......u.UA..&.n..q.1.$.S.p-.HdS....t...O`v(.>..lGlYK..y$...\=6.oJ....l.y.qmv.-....&.....i..r..UjkP....6.

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\unbarricadoed

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):422912
                                                                                                                                                                                                                        Entropy (8bit):7.439584686925007
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:8dwTnkh9Np4aZzdqSGRzedbFmyXU8SZ2fCcT9oW9:8Zp4aXoRzedbFmyXUxZ2IW9
                                                                                                                                                                                                                        MD5:75B8CBE941586F299068B1731C7965B1
                                                                                                                                                                                                                        SHA1:D38EBB6A058C88CDEF6D9D87EDB16CF5A2DD6A01
                                                                                                                                                                                                                        SHA-256:70D29D248FD0FC70C43940E4D9BB78A02D35E841FEE8EDE4F6352B296CC3D828
                                                                                                                                                                                                                        SHA-512:4A77822EC5A44E54FDB41C9A1131FC7151DFB7E4A5F043C5F598F408BD2A48E9B8CD2E3AA01698CBBAEE8A2E8BC7EC8E25C2EE825B8DB663DCD6F6E5FF2C5AC5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Preview:...P4K1BAL7J..OE.P7K1BELwJQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P.K1BKS.DQ.F...6..c.$^9q?=*R"V&.!$"Y%%o- ."B%.++ls..o"*Q5.F<HaL7JQOOE]@.f.3.2.;.1c4...hN<z=.4Z..;.!.5.3.2k;.1}f[.+:.<wo^4.>.;.sL5.3.2e#2'c4..7K1BEL7JQOOE5P7K..m.7JQO..5P{J5B1.7.QOOE5P7K.BfM<KXOO.4P7.5BEL7J~.OE5@7K1.DL7J.OOU5P7I1B@L7JQOOE0P7K1BEL7.WOOA5P.p3BGL7.QO_E5@7K1BUL7ZQOOE5P'K1BEL7JQOOE.E5KaBEL7*SO3.1P7K1BEL7JQOOE5P7K1BEL7JQO..4P+K1BEL7JQOOE5P7K1BEL7JQOOE5P.F3B.L7JQOOE5P7K1.DL.KQOOE5P7K1BEL7JQOOE5P7K1BEL.>47;E5P/.0BE\7JQ.NE5T7K1BEL7JQOOE5P.K1"k>S+%.OE.=7K1.DL7$QOO.4P7K1BEL7JQOOEuP7..&$8VJQO.u5P7k3BEZ7JQEME5P7K1BEL7JQO.E5..9B0&L7J-.KE505K1.AL7jSOOE5P7K1BEL7J.OO.5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K1BEL7JQOOE5P7K

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):7.229023307471796
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                        File name:EYve4TeHvZ.exe
                                                                                                                                                                                                                        File size:1'247'232 bytes
                                                                                                                                                                                                                        MD5:d89407ff1c7e68212ea29e5d7da5fba9
                                                                                                                                                                                                                        SHA1:8def9ed32436c34b27fcee48b9b10e4f4b519f74
                                                                                                                                                                                                                        SHA256:af621a0196ca315b44e889e295e0b227a1ed3afc3e2f1b266875436874138fa3
                                                                                                                                                                                                                        SHA512:8f7fe44749ce7259dc8279a0a764a9fafd4ce9beae16cc50aeaabab756243a8c1ac881e5a3a37912821c5a2cfbd15e69431aae11770d1c42309517dd212f70fb
                                                                                                                                                                                                                        SSDEEP:24576:vu6J33O0c+JY5UZ+XC0kGso6Fa/IkNPfDkQJMJP2WY:Zu0c++OCvkGs9Fa/ZwbfY
                                                                                                                                                                                                                        TLSH:DD45CF22B3DDC360CB669173BF69B7056EBF7C214630B85B2F880D7DA950162262D763
                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:aaf3e3e3938382a0

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x427dcd
                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                        Time Stamp:0x67CE2D0E [Mon Mar 10 00:06:38 2025 UTC]
                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                        OS Version Minor:1
                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                        File Version Minor:1
                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                        Subsystem Version Minor:1
                                                                                                                                                                                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        call 00007FA0E87D363Ah
                                                                                                                                                                                                                        jmp 00007FA0E87C6404h
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        int3
                                                                                                                                                                                                                        push edi
                                                                                                                                                                                                                        push esi
                                                                                                                                                                                                                        mov esi, dword ptr [esp+10h]
                                                                                                                                                                                                                        mov ecx, dword ptr [esp+14h]
                                                                                                                                                                                                                        mov edi, dword ptr [esp+0Ch]
                                                                                                                                                                                                                        mov eax, ecx
                                                                                                                                                                                                                        mov edx, ecx
                                                                                                                                                                                                                        add eax, esi
                                                                                                                                                                                                                        cmp edi, esi
                                                                                                                                                                                                                        jbe 00007FA0E87C658Ah
                                                                                                                                                                                                                        cmp edi, eax
                                                                                                                                                                                                                        jc 00007FA0E87C68EEh
                                                                                                                                                                                                                        bt dword ptr [004C31FCh], 01h
                                                                                                                                                                                                                        jnc 00007FA0E87C6589h
                                                                                                                                                                                                                        rep movsb
                                                                                                                                                                                                                        jmp 00007FA0E87C689Ch
                                                                                                                                                                                                                        cmp ecx, 00000080h
                                                                                                                                                                                                                        jc 00007FA0E87C6754h
                                                                                                                                                                                                                        mov eax, edi
                                                                                                                                                                                                                        xor eax, esi
                                                                                                                                                                                                                        test eax, 0000000Fh
                                                                                                                                                                                                                        jne 00007FA0E87C6590h
                                                                                                                                                                                                                        bt dword ptr [004BE324h], 01h
                                                                                                                                                                                                                        jc 00007FA0E87C6A60h
                                                                                                                                                                                                                        bt dword ptr [004C31FCh], 00000000h
                                                                                                                                                                                                                        jnc 00007FA0E87C672Dh
                                                                                                                                                                                                                        test edi, 00000003h
                                                                                                                                                                                                                        jne 00007FA0E87C673Eh
                                                                                                                                                                                                                        test esi, 00000003h
                                                                                                                                                                                                                        jne 00007FA0E87C671Dh
                                                                                                                                                                                                                        bt edi, 02h
                                                                                                                                                                                                                        jnc 00007FA0E87C658Fh
                                                                                                                                                                                                                        mov eax, dword ptr [esi]
                                                                                                                                                                                                                        sub ecx, 04h
                                                                                                                                                                                                                        lea esi, dword ptr [esi+04h]
                                                                                                                                                                                                                        mov dword ptr [edi], eax
                                                                                                                                                                                                                        lea edi, dword ptr [edi+04h]
                                                                                                                                                                                                                        bt edi, 03h
                                                                                                                                                                                                                        jnc 00007FA0E87C6593h
                                                                                                                                                                                                                        movq xmm1, qword ptr [esi]
                                                                                                                                                                                                                        sub ecx, 08h
                                                                                                                                                                                                                        lea esi, dword ptr [esi+08h]
                                                                                                                                                                                                                        movq qword ptr [edi], xmm1
                                                                                                                                                                                                                        lea edi, dword ptr [edi+08h]
                                                                                                                                                                                                                        test esi, 00000007h
                                                                                                                                                                                                                        je 00007FA0E87C65E5h
                                                                                                                                                                                                                        bt esi, 03h
                                                                                                                                                                                                                        jnc 00007FA0E87C6638h

                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                        • [ASM] VS2013 build 21005
                                                                                                                                                                                                                        • [ C ] VS2013 build 21005
                                                                                                                                                                                                                        • [C++] VS2013 build 21005
                                                                                                                                                                                                                        • [ C ] VS2008 SP1 build 30729
                                                                                                                                                                                                                        • [IMP] VS2008 SP1 build 30729
                                                                                                                                                                                                                        • [ASM] VS2013 UPD4 build 31101
                                                                                                                                                                                                                        • [RES] VS2013 build 21005
                                                                                                                                                                                                                        • [LNK] VS2013 UPD4 build 31101

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x67f88.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x12f0000x711c.reloc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .rsrc0xc70000x67f880x68000993e811e2e88e94b511ffb1c8906dc4eFalse0.9370164137620193data7.913874925931253IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .reloc0x12f0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                                                                                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                                                                                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                                                                                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                                                                                                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                                                                                                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                                                                                                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                                                                                                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                                                                                                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                                                                                                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                                                                                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                                                                                                                                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                                                                                                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                                                                                                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                                                                                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                                                                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                                                                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                                                                                                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                                                                                                                        RT_RCDATA0xcf7b80x5f24fdata1.0003233165089003
                                                                                                                                                                                                                        RT_GROUP_ICON0x12ea080x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                                                                                                                        RT_GROUP_ICON0x12ea800x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                        RT_GROUP_ICON0x12ea940x14dataEnglishGreat Britain1.15
                                                                                                                                                                                                                        RT_GROUP_ICON0x12eaa80x14dataEnglishGreat Britain1.25
                                                                                                                                                                                                                        RT_VERSION0x12eabc0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                                                                                                                        RT_MANIFEST0x12eb980x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                                                                                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                                                                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                                                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                                                                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                                                                                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                                                                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                                                                                                                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                                                                                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                                                                                                                        UxTheme.dllIsThemeActive
                                                                                                                                                                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                                                                                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                                                                                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                                                                                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                                                                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                                                                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                                                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                                                                                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                                                                                                                        Version Infos

                                                                                                                                                                                                                        DescriptionData
                                                                                                                                                                                                                        Translation0x0809 0x04b0

                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                        EnglishGreat Britain

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Suricata IDS Alerts

                                                                                                                                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                        2025-03-13T06:17:17.879285+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44971245.144.212.1921912TCP
                                                                                                                                                                                                                        2025-03-13T06:17:17.879285+01002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.44971245.144.212.1921912TCP
                                                                                                                                                                                                                        2025-03-13T06:17:18.061900+01002043234ET MALWARE Redline Stealer TCP CnC - Id1Response145.144.212.1921912192.168.2.449712TCP
                                                                                                                                                                                                                        2025-03-13T06:17:23.350751+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44971245.144.212.1921912TCP
                                                                                                                                                                                                                        2025-03-13T06:17:23.543075+01002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)145.144.212.1921912192.168.2.449712TCP
                                                                                                                                                                                                                        2025-03-13T06:17:25.545844+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44971245.144.212.1921912TCP
                                                                                                                                                                                                                        2025-03-13T06:17:25.782649+01002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.44971245.144.212.1921912TCP

                                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.184657097 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.189533949 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.189606905 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.200844049 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.205553055 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.811148882 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.877578974 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.879285097 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:17.883920908 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:18.061899900 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:18.112071991 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.350750923 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.355398893 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.542956114 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.542968988 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.542979002 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.543039083 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.543075085 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.543087006 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.543114901 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:23.596415997 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.539463043 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544234991 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544246912 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544276953 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544286966 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544320107 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544329882 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544336081 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544341087 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544349909 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544362068 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544367075 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544419050 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544482946 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.544552088 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549133062 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549149036 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549190044 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549221039 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549257994 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549266100 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549274921 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549284935 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549293995 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549312115 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549320936 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549326897 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549340963 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549370050 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549412012 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549422979 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549427986 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.549474955 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.553935051 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554064035 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554073095 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554084063 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554115057 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554126024 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554172039 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554192066 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554290056 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554299116 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554356098 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554363966 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554462910 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554476023 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554502964 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554519892 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554544926 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554548025 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554578066 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554595947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554604053 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554634094 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554694891 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554703951 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554713011 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554716110 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554721117 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554738998 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554749966 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554770947 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554799080 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554800034 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554809093 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554817915 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554826021 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554848909 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554852009 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554860115 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554863930 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554867983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554903030 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.554929018 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558789968 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558799028 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558832884 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558841944 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558851957 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558861017 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558875084 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558887959 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558895111 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558903933 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558919907 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558927059 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558928967 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558950901 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558959007 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558959007 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.558988094 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559005976 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559012890 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559015036 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559019089 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559026957 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559047937 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559056997 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559087038 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559093952 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559134007 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559143066 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559149981 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559159040 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559174061 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559181929 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559196949 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559205055 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559221029 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559274912 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559283018 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559287071 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559308052 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559315920 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559330940 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559339046 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559421062 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559429884 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559432983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559464931 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559473038 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559484959 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559494019 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559509039 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559519053 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559556961 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559643030 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559652090 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559653044 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559719086 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559751987 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559761047 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559768915 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559777975 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559787035 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559794903 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559899092 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559909105 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559916019 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559926033 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559932947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559942007 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559951067 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559961081 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559968948 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559992075 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.559998989 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.560003996 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.560012102 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.560020924 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.560029030 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563592911 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563620090 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563631058 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563667059 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563714027 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563723087 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563766003 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563787937 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563798904 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563848972 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563858986 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563868046 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563904047 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563919067 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563958883 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563963890 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563971043 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.563987970 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564007044 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564016104 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564090014 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564099073 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564107895 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564116955 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564313889 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564369917 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564378977 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564467907 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564476013 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564533949 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564543009 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564546108 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564553976 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564564943 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564574003 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564609051 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564618111 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564640999 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564649105 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564718962 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564727068 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564740896 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564755917 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564764977 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564774036 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564825058 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564834118 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564841032 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564851046 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564863920 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564872026 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564888000 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564897060 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564949036 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564958096 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564965963 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564975023 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564990997 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.564999104 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565013885 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565022945 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565058947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565068007 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565095901 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565104008 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565124989 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565134048 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565220118 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565227032 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565244913 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565253973 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565260887 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565269947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565294981 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565304995 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565320015 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565327883 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565339088 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.565345049 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569127083 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569135904 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569139004 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569147110 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569154978 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569161892 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569200039 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569209099 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569217920 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569226027 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569278955 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569287062 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569289923 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569298983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569350004 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569394112 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569401979 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569403887 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569411993 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569421053 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569428921 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569437027 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569446087 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569454908 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569475889 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569484949 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569494009 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569503069 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569524050 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569533110 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569536924 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569540024 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569621086 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569629908 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569634914 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569643974 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569659948 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569669008 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569684029 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569752932 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569761038 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569768906 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569792032 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569801092 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569946051 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569955111 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569962025 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569971085 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569978952 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569991112 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.569998980 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.570008039 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.570024014 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.570030928 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.570039988 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574474096 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574481964 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574520111 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574528933 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574532986 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574549913 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574634075 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574642897 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574697971 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574707985 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574708939 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574716091 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574732065 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574748039 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574757099 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574769974 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574794054 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574801922 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574809074 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574819088 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574835062 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574842930 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574851990 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574862003 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574942112 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574950933 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574959993 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574969053 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.574978113 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575025082 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575033903 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575120926 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575130939 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575138092 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575146914 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575161934 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575198889 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575208902 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575221062 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575337887 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575346947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575350046 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575354099 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575361967 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575371027 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575403929 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575412035 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575416088 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575423956 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575439930 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575448036 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575458050 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575500011 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575509071 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.575544119 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579675913 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579684973 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579693079 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579701900 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579720020 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579729080 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579737902 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579747915 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579822063 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579830885 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579838037 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579847097 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579855919 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579865932 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579902887 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579911947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579916954 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579925060 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579930067 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.579994917 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580018044 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580028057 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580111980 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580121994 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580125093 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580127954 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580146074 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580154896 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580178022 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580187082 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580208063 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580215931 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580241919 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580250978 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580272913 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580281973 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580365896 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580374002 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580380917 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580390930 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580501080 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580508947 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580518007 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580527067 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580534935 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580544949 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580560923 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580569983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580585003 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580593109 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580600023 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580610037 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580626965 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580636978 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.580643892 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585125923 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585134983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585180044 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585187912 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585197926 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585208893 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585223913 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585232973 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585268021 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585277081 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585290909 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585315943 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585324049 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585331917 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585340977 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585534096 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585541964 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585542917 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585558891 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585570097 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585602999 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585613012 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585622072 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585629940 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585638046 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585695028 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585752010 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585761070 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585782051 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585789919 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585901976 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585910082 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585912943 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585922003 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585930109 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.585937977 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.612071037 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.616784096 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.616995096 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.617063999 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.617063999 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.617108107 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621721983 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621748924 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621822119 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621836901 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621942997 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.621959925 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622052908 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622061014 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622144938 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622153997 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622205973 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622255087 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622342110 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622350931 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.622376919 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.643301964 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:24.647981882 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:25.545008898 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:25.545844078 CET497121912192.168.2.445.144.212.192
                                                                                                                                                                                                                        Mar 13, 2025 06:17:25.550518990 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:25.754959106 CET19124971245.144.212.192192.168.2.4
                                                                                                                                                                                                                        Mar 13, 2025 06:17:25.782649040 CET497121912192.168.2.445.144.212.192

                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:01:17:08
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0xb10000
                                                                                                                                                                                                                        File size:1'247'232 bytes
                                                                                                                                                                                                                        MD5 hash:D89407FF1C7E68212EA29E5D7DA5FBA9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1171362184.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                        Start time:01:17:09
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0x380000
                                                                                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                        Start time:01:17:09
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0xb10000
                                                                                                                                                                                                                        File size:1'247'232 bytes
                                                                                                                                                                                                                        MD5 hash:D89407FF1C7E68212EA29E5D7DA5FBA9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1187752931.0000000003880000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:01:17:11
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0x50000
                                                                                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                        Start time:01:17:11
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\EYve4TeHvZ.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0xb10000
                                                                                                                                                                                                                        File size:1'247'232 bytes
                                                                                                                                                                                                                        MD5 hash:D89407FF1C7E68212EA29E5D7DA5FBA9
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1200576416.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:01:17:12
                                                                                                                                                                                                                        Start date:13/03/2025
                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\EYve4TeHvZ.exe"
                                                                                                                                                                                                                        Imagebase:0xe80000
                                                                                                                                                                                                                        File size:45'984 bytes
                                                                                                                                                                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1320108351.000000000344B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.1318277497.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: 00000005.00000002.1326564908.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1319539106.0000000003008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: infostealer_win_redline_strings, Description: Finds Redline samples based on characteristic strings, Source: 00000005.00000002.1327870923.0000000005BB0000.00000004.08000000.00040000.00000000.sdmp, Author: Sekoia.io
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >