Loading ...

Play interactive tourEdit tour

Analysis Report GV6fciJUF1.exe

Overview

General Information

Sample Name:GV6fciJUF1.exe
Analysis ID:318066
MD5:bfaaa05064bf433bb5f472949afb4bda
SHA1:883a59675cf0e46082ba6b252d92f0c3a7d8e463
SHA256:67e79aee5a167c0042612414b8779ff58d9c9c8b4ad1cb1ff41aa9df15a67a8e

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • GV6fciJUF1.exe (PID: 5960 cmdline: 'C:\Users\user\Desktop\GV6fciJUF1.exe' MD5: BFAAA05064BF433BB5F472949AFB4BDA)
    • RegAsm.exe (PID: 5672 cmdline: 'C:\Users\user\Desktop\GV6fciJUF1.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 68 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Europaeisk.exe (PID: 6712 cmdline: 'C:\Users\user\BEFRIS\Europaeisk.exe' MD5: BFAAA05064BF433BB5F472949AFB4BDA)
    • RegAsm.exe (PID: 6832 cmdline: 'C:\Users\user\BEFRIS\Europaeisk.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Europaeisk.exe (PID: 6824 cmdline: 'C:\Users\user\BEFRIS\Europaeisk.exe' MD5: BFAAA05064BF433BB5F472949AFB4BDA)
    • RegAsm.exe (PID: 6892 cmdline: 'C:\Users\user\BEFRIS\Europaeisk.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)
      • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.481239103.0000000000D60000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    00000012.00000002.481339101.00000000011A0000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000001.00000002.479886260.0000000000C30000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 6832JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
          Process Memory Space: RegAsm.exe PID: 5672JoeSecurity_GuLoaderYara detected GuLoaderJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: GV6fciJUF1.exeAvira: detected
            Source: GV6fciJUF1.exeAvira: detected
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\BEFRIS\Europaeisk.exeAvira: detection malicious, Label: TR/AD.VBCryptor.shppt
            Source: C:\Users\user\BEFRIS\Europaeisk.exeAvira: detection malicious, Label: TR/AD.VBCryptor.shppt
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\BEFRIS\Europaeisk.exeReversingLabs: Detection: 77%
            Source: C:\Users\user\BEFRIS\Europaeisk.exeReversingLabs: Detection: 77%
            Multi AV Scanner detection for submitted fileShow sources
            Source: GV6fciJUF1.exeVirustotal: Detection: 61%Perma Link
            Source: GV6fciJUF1.exeReversingLabs: Detection: 77%
            Source: GV6fciJUF1.exeVirustotal: Detection: 61%Perma Link
            Source: GV6fciJUF1.exeReversingLabs: Detection: 77%
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C32BAC InternetReadFile,1_2_00C32BAC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C32BAC InternetReadFile,1_2_00C32BAC
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0L
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
            Source: RegAsm.exeString found in binary or memory: http://myurl/myfile.bin
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net/
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538435&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538487&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.li
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.lig
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/%26resid%3DE3DDC3980F743711%2521784%26authkey%3DAGURDZXnph4fWLs&lc=1033&id=25
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com//c
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/1
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/2011_2011-03-29.crt0
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/38457&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%
            Source: RegAsm.exe, 00000012.00000003.402924231.00000000015DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/40-CH
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/AGURDZXn
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/J
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/List
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/M
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/O
            Source: RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=28f268b169b44f9fa8b8e865d01be0c3&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=cd76dd2aaa064691920a3f0fd66aea6c&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=f09cfa65f1ff4a89a947cd82c9d77aa2&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ducts/MicCerLisCA2011_2011-03-29.crl0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/e-4446-861e-87e013958b250
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/eYk
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/icrosoft
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/id%3DE3DDC3980F743711%2521784%26authkey%3DAGURDZi
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/k
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rL
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rm
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&5
            Source: RegAsm.exe, 00000001.00000003.356274603.0000000000FDF000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538397&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538399&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538400&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538401&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538402&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295585888.0000000001037000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538403&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538404&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538405&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538406&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538407&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538408&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538409&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538410&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538411&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538412&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538413&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538414&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538415&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538416&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538417&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538418&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538419&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538420&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538421&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538422&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538423&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538424&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339379093.000000000104E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538425&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538426&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343686811.000000000104F000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538427&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538428&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538429&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538430&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538431&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538432&rver=7.3.6962.0&wp=MBI_SSL
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538432&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538433&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356185860.000000000105F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538434&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356185860.000000000105F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538435&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538436&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.364918806.000000000105E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538437&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538438&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538439&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538440&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538441&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.390047246.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538442&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538443&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538444&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538445&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538446&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538447&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538448&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538449&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538450&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538451&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.396951445.0000000001054000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.396956028.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538452&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.396956028.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538453&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538454&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538455&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.402924231.00000000015DD000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.402893612.00000000015C1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538456&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538457&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538458&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538459&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538460&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538461&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538462&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538463&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538464&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538465&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538466&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538467&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538468&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538469&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538470&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538471&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538472&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538473&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538474&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538475&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538476&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538477&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538478&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538479&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538480&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538481&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538482&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538483&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538484&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538485&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538486&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538487&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538488&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1=
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/loginD
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538406&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538434&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/mCertificates
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ography
            Source: RegAsm.exe, 00000012.00000003.466318968.00000000015ED000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/pp1600/
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/prod.aadmsa.akadns.net
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/r
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/u
            Source: RegAsm.exe, 00000012.00000002.525079166.00000000015D0000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/v
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_LF5wadGUj8ZgZU2sWOZt
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_m_AEFbtYqJeKR6sGUe93pA2.js
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.525079166.00000000015D0000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/-9769-133e6dd
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/44
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/DL1BZMCy7gkjqiuFbh4BiH6i06Gt8j0MBnlEzhZAmfV4QjcdMO7qRELnwUjGSDr5RjpBl7rWzg
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/downlo
            Source: RegAsm.exe, 00000001.00000002.479564220.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E
            Source: RegAsm.exe, 00000010.00000002.480469196.0000000000D3A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC3980F743711%21784&authkey=AGU
            Source: RegAsm.exe, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC3980F743711%21784&authkey=AGURDZX
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3qi
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=EQh
            Source: RegAsm.exe, 00000001.00000003.390016181.0000000001065000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/ex
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/ky
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/tyLS6JLI5fNdE?
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/zP
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g7.crl0/
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g7.crl0L
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
            Source: RegAsm.exeString found in binary or memory: http://myurl/myfile.bin
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://lgincdnvzeuno.azureedge.net/
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538435&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538487&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://lhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MB
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.li
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.lig
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/%26resid%3DE3DDC3980F743711%2521784%26authkey%3DAGURDZXnph4fWLs&lc=1033&id=25
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com//c
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/1
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/2011_2011-03-29.crt0
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/38457&rver=7.3.6962.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fonedrive.live.com%
            Source: RegAsm.exe, 00000012.00000003.402924231.00000000015DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/40-CH
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/AGURDZXn
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/J
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/List
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/M
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/O
            Source: RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=28f268b169b44f9fa8b8e865d01be0c3&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=cd76dd2aaa064691920a3f0fd66aea6c&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=f09cfa65f1ff4a89a947cd82c9d77aa2&mkt=EN-US&lc=1033
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ducts/MicCerLisCA2011_2011-03-29.crl0
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/e-4446-861e-87e013958b250
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/eYk
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/icrosoft
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/id%3DE3DDC3980F743711%2521784%26authkey%3DAGURDZi
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/k
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rL
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rm
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&5
            Source: RegAsm.exe, 00000001.00000003.356274603.0000000000FDF000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538397&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538399&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538400&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538401&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538402&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295585888.0000000001037000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538403&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538404&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538405&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538406&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538407&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538408&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538409&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538410&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538411&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538412&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538413&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538414&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538415&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538416&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538417&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538418&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538419&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538420&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538421&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538422&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538423&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538424&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339379093.000000000104E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538425&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538426&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343686811.000000000104F000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.339430985.0000000001048000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538427&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538428&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538429&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538430&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538431&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538432&rver=7.3.6962.0&wp=MBI_SSL
            Source: RegAsm.exe, 00000001.00000003.356384466.0000000001039000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538432&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538433&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356185860.000000000105F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538434&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.356264598.0000000000FD0000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356185860.000000000105F000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538435&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538436&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.364918806.000000000105E000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538437&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538438&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538439&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538440&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538441&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.390047246.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538442&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538443&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538444&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538445&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.381308615.00000000015C5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538446&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538447&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538448&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538449&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538450&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538451&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.396951445.0000000001054000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000003.396956028.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538452&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.396956028.0000000001056000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538453&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538454&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538455&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.402924231.00000000015DD000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.402893612.00000000015C1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538456&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538457&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538458&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538459&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538460&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538461&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538462&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538463&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538464&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538465&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538466&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538467&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538468&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538469&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538470&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538471&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538472&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538473&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538474&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538475&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538476&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538477&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538478&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538479&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538480&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538481&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538482&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538483&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538484&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000003.466336385.00000000015C9000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538485&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538486&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538487&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538488&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000012.00000002.528394135.00000000015F5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MBI_SSL_SHA
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1=
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/loginD
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538406&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538434&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1605538489&rver=7.3.6962.0&wp=MBI_SSL_SH
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/mCertificates
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/ography
            Source: RegAsm.exe, 00000012.00000003.466318968.00000000015ED000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/pp1600/
            Source: RegAsm.exe, 00000001.00000002.484341274.0000000000F90000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/prod.aadmsa.akadns.net
            Source: RegAsm.exe, 00000001.00000003.295558578.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/r
            Source: RegAsm.exe, 00000012.00000002.521193100.00000000015A6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/u
            Source: RegAsm.exe, 00000012.00000002.525079166.00000000015D0000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/v
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_LF5wadGUj8ZgZU2sWOZt
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/
            Source: RegAsm.exe, 00000001.00000002.487937252.0000000002840000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmp, RegAsm.exe, 00000010.00000002.538240432.0000000002990000.00000004.00000001.sdmp, RegAsm.exe, 00000012.00000002.542325474.0000000002E10000.00000004.00000001.sdmpString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_m_AEFbtYqJeKR6sGUe93pA2.js
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmp, RegAsm.exe, 00000012.00000002.525079166.00000000015D0000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/-9769-133e6dd
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/44
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/DL1BZMCy7gkjqiuFbh4BiH6i06Gt8j0MBnlEzhZAmfV4QjcdMO7qRELnwUjGSDr5RjpBl7rWzg
            Source: RegAsm.exe, 00000001.00000003.343697566.0000000001034000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/downlo
            Source: RegAsm.exe, 00000001.00000002.479564220.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E
            Source: RegAsm.exe, 00000010.00000002.480469196.0000000000D3A000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC3980F743711%21784&authkey=AGU
            Source: RegAsm.exe, RegAsm.exe, 00000012.00000003.419022444.00000000015CC000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3DDC3980F743711%21784&authkey=AGURDZX
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=E3DDC3980F743711&resid=E3qi
            Source: RegAsm.exe, 00000001.00000003.427677332.0000000001055000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=EQh
            Source: RegAsm.exe, 00000001.00000003.390016181.0000000001065000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/ex
            Source: RegAsm.exe, 00000001.00000003.295578068.0000000001032000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/ky
            Source: RegAsm.exe, 00000001.00000003.356363685.0000000001025000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/tyLS6JLI5fNdE?
            Source: RegAsm.exe, 00000001.00000002.484410463.0000000001025000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/zP
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
            Source: RegAsm.exe, 00000001.00000003.295547490.000000000101A000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmp, RegAsm.exe, 00000001.00000002.484394903.0000000000FFE000.00000004.00000020.sdmpString found in binary or memory: https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c
            Source: RegAsm.exe, 00000001.00000003.356293819.0000000000FFE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02252BAC NtResumeThread,0_2_02252BAC
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02252AC7 NtResumeThread,0_2_02252AC7
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250FF6 NtWriteVirtualMemory,0_2_02250FF6
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022527DF NtProtectVirtualMemory,0_2_022527DF
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02252BAC NtResumeThread,0_2_02252BAC
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02252AC7 NtResumeThread,0_2_02252AC7
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250FF6 NtWriteVirtualMemory,0_2_02250FF6
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022527DF NtProtectVirtualMemory,0_2_022527DF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C300CF EnumWindows,NtSetInformationThread,Sleep,1_2_00C300CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3280F NtProtectVirtualMemory,1_2_00C3280F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3010F NtSetInformationThread,1_2_00C3010F
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A2BAC NtResumeThread,14_2_022A2BAC
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A2825 NtProtectVirtualMemory,14_2_022A2825
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A2AC6 NtProtectVirtualMemory,14_2_022A2AC6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D600CF EnumWindows,NtSetInformationThread,Sleep,16_2_00D600CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D6280F NtProtectVirtualMemory,16_2_00D6280F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D6010F NtSetInformationThread,16_2_00D6010F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A280F NtProtectVirtualMemory,18_2_011A280F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A00CF EnumWindows,NtSetInformationThread,Sleep,18_2_011A00CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A010F NtSetInformationThread,18_2_011A010F
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022527DF0_2_022527DF
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022527DF0_2_022527DF
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: String function: 00401328 appears 42 times
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: String function: 00401328 appears 42 times
            Source: GV6fciJUF1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Europaeisk.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GV6fciJUF1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Europaeisk.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: GV6fciJUF1.exeBinary or memory string: OriginalFilename vs GV6fciJUF1.exe
            Source: GV6fciJUF1.exe, 00000000.00000002.377999498.0000000000407000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametegnefejlen.exe vs GV6fciJUF1.exe
            Source: GV6fciJUF1.exeBinary or memory string: OriginalFilenametegnefejlen.exe vs GV6fciJUF1.exe
            Source: GV6fciJUF1.exeBinary or memory string: OriginalFilename vs GV6fciJUF1.exe
            Source: GV6fciJUF1.exe, 00000000.00000002.377999498.0000000000407000.00000002.00020000.sdmpBinary or memory string: OriginalFilenametegnefejlen.exe vs GV6fciJUF1.exe
            Source: GV6fciJUF1.exeBinary or memory string: OriginalFilenametegnefejlen.exe vs GV6fciJUF1.exe
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@12/1@3/0
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\BEFRISJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\BEFRISJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:68:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01
            Source: GV6fciJUF1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: GV6fciJUF1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: GV6fciJUF1.exeVirustotal: Detection: 61%
            Source: GV6fciJUF1.exeReversingLabs: Detection: 77%
            Source: GV6fciJUF1.exeVirustotal: Detection: 61%
            Source: GV6fciJUF1.exeReversingLabs: Detection: 77%
            Source: unknownProcess created: C:\Users\user\Desktop\GV6fciJUF1.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\BEFRIS\Europaeisk.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Users\user\BEFRIS\Europaeisk.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\GV6fciJUF1.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\BEFRIS\Europaeisk.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Users\user\BEFRIS\Europaeisk.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000010.00000002.481239103.0000000000D60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.481339101.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.479886260.0000000000C30000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6832, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5672, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6892, type: MEMORY
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_0041262A pushad ; iretd 0_2_0041262B
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_004101BF push 00000070h; iretd 0_2_004101C1
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250C2A push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250E1D push ebp; iretd 0_2_02250E70
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250C77 push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250CAB push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022504FF push ebp; iretd 0_2_02250504
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250CD4 push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250ED0 push ebp; iretd 0_2_02250E70
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_0225212F push cs; retf 0_2_0225213C
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022501D8 push eax; retf 0_2_022501F3
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_0041262A pushad ; iretd 0_2_0041262B
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_004101BF push 00000070h; iretd 0_2_004101C1
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250C2A push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250E1D push ebp; iretd 0_2_02250E70
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250C77 push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250CAB push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022504FF push ebp; iretd 0_2_02250504
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250CD4 push es; retf 0_2_02250D48
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_02250ED0 push ebp; iretd 0_2_02250E70
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_0225212F push cs; retf 0_2_0225213C
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeCode function: 0_2_022501D8 push eax; retf 0_2_022501F3
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A0E1D push ebp; iretd 14_2_022A0E70
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A12C4 push FFFFFFC1h; iretd 14_2_022A12C8
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A04DC push ebp; iretd 14_2_022A0504
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A2124 push cs; retf 14_2_022A213C
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A113C push edx; iretd 14_2_022A1140
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A0D1F push ebp; iretd 14_2_022A0D2C
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A1F11 push edi; iretd 14_2_022A1F14
            Source: C:\Users\user\BEFRIS\Europaeisk.exeCode function: 14_2_022A0DFB push es; iretd 14_2_022A0E1C
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\BEFRIS\Europaeisk.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\BEFRIS\Europaeisk.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce BALLELSSERNEJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D612FC 16_2_00D612FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A12FC 18_2_011A12FC
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_1-1576
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_1-1576
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeRDTSC instruction interceptor: First address: 00000000022512FF second address: 000000000225131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeRDTSC instruction interceptor: First address: 000000000225131D second address: 00000000022512FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 lfence 0x00000014 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C312FF second address: 0000000000C3131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C3131D second address: 0000000000C312FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F0AF0BF3023h 0x0000001b push ecx 0x0000001c call 00007F0AF0BF3051h 0x00000021 lfence 0x00000024 rdtsc
            Source: C:\Users\user\BEFRIS\Europaeisk.exeRDTSC instruction interceptor: First address: 00000000022A12FF second address: 00000000022A131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\BEFRIS\Europaeisk.exeRDTSC instruction interceptor: First address: 00000000022A131D second address: 00000000022A12FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F0AF0BF3023h 0x0000001b push ecx 0x0000001c call 00007F0AF0BF3051h 0x00000021 lfence 0x00000024 rdtsc
            Source: C:\Users\user\BEFRIS\Europaeisk.exeRDTSC instruction interceptor: First address: 00000000020D12FF second address: 00000000020D131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Users\user\BEFRIS\Europaeisk.exeRDTSC instruction interceptor: First address: 00000000020D131D second address: 00000000020D12FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F0AF0BF3023h 0x0000001b push ecx 0x0000001c call 00007F0AF0BF3051h 0x00000021 lfence 0x00000024 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D612FF second address: 0000000000D6131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000D6131D second address: 0000000000D612FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F0AF0BF3023h 0x0000001b push ecx 0x0000001c call 00007F0AF0BF3051h 0x00000021 lfence 0x00000024 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000011A12FF second address: 00000000011A131D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AF0BF2F32h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRDTSC instruction interceptor: First address: 00000000011A131D second address: 00000000011A12FF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AF0BF3000h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F0AF0BF3023h 0x0000001b push ecx 0x0000001c call 00007F0AF0BF3051h 0x00000021 lfence 0x00000024 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened / queried: C:\ProgramData\qemu-ga\qga.stateJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened / queried: C:\ProgramData\qemu-ga\qga.stateJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC rdtsc 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC rdtsc 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5664Thread sleep time: -1440000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6836Thread sleep count: 84 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6836Thread sleep time: -840000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6896Thread sleep count: 87 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6896Thread sleep time: -870000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5664Thread sleep time: -1440000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6836Thread sleep count: 84 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6836Thread sleep time: -840000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6896Thread sleep count: 87 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6896Thread sleep time: -870000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: RegAsm.exeBinary or memory string: C:\ProgramData\qemu-ga\qga.state
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exeBinary or memory string: C:\ProgramData\qemu-ga\qga.state
            Source: RegAsm.exe, 00000001.00000002.484381124.0000000000FDF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW

            Anti Debugging:

            barindex
            Contains functionality to hide a thread from the debuggerShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C300CF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000001_2_00C300CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C300CF NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,000000001_2_00C300CF
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC rdtsc 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C312FC rdtsc 1_2_00C312FC
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3153D LdrInitializeThunk,1_2_00C3153D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3153D LdrInitializeThunk,1_2_00C3153D
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C320CF mov eax, dword ptr fs:[00000030h]1_2_00C320CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C30A90 mov eax, dword ptr fs:[00000030h]1_2_00C30A90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C325A6 mov eax, dword ptr fs:[00000030h]1_2_00C325A6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3224F mov eax, dword ptr fs:[00000030h]1_2_00C3224F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C31253 mov eax, dword ptr fs:[00000030h]1_2_00C31253
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3066B mov eax, dword ptr fs:[00000030h]1_2_00C3066B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C320CF mov eax, dword ptr fs:[00000030h]1_2_00C320CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C30A90 mov eax, dword ptr fs:[00000030h]1_2_00C30A90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C325A6 mov eax, dword ptr fs:[00000030h]1_2_00C325A6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3224F mov eax, dword ptr fs:[00000030h]1_2_00C3224F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C31253 mov eax, dword ptr fs:[00000030h]1_2_00C31253
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 1_2_00C3066B mov eax, dword ptr fs:[00000030h]1_2_00C3066B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D620CF mov eax, dword ptr fs:[00000030h]16_2_00D620CF
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D60A90 mov eax, dword ptr fs:[00000030h]16_2_00D60A90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D625A6 mov eax, dword ptr fs:[00000030h]16_2_00D625A6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D61253 mov eax, dword ptr fs:[00000030h]16_2_00D61253
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D6224F mov eax, dword ptr fs:[00000030h]16_2_00D6224F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 16_2_00D6066B mov eax, dword ptr fs:[00000030h]16_2_00D6066B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A1253 mov eax, dword ptr fs:[00000030h]18_2_011A1253
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A224F mov eax, dword ptr fs:[00000030h]18_2_011A224F
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A066B mov eax, dword ptr fs:[00000030h]18_2_011A066B
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A0A90 mov eax, dword ptr fs:[00000030h]18_2_011A0A90
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A25A6 mov eax, dword ptr fs:[00000030h]18_2_011A25A6
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 18_2_011A20CF mov eax, dword ptr fs:[00000030h]18_2_011A20CF

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: C30000Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D60000Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11A0000Jump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: C30000Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: D60000Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeMemory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 11A0000Jump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: C:\Users\user\Desktop\GV6fciJUF1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\GV6fciJUF1.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: C:\Users\user\BEFRIS\Europaeisk.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\BEFRIS\Europaeisk.exe' Jump to behavior
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000001.00000002.484454563.0000000001420000.00000002.00000001.sdmp, RegAsm.exe, 00000010.00000002.529398720.0000000001570000.00000002.00000001.sdmp, RegAsm.exe, 00000012.00000002.532111856.00000000019F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1Registry Run Keys / Startup Folder1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery521Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobDLL Side-Loading1Registry Run Keys / Startup Folder1Virtualization/Sandbox Evasion12LSASS MemoryVirtualization/Sandbox Evasion12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)DLL Side-Loading1Process Injection112Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsSystem Information Discovery22SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 318066