Edit tour

Windows Analysis Report
23bGlBtTiX.exe

Overview

General Information

Sample name:	23bGlBtTiX.exe renamed because original name is a hash value
Original sample name:	ca6e33cf72e210e9b8faaa354de8b2382fc5e2a163d9172802011f68983fccb0.exe
Analysis ID:	1446918
MD5:	4e14611a07ab337ac271117a19c3181e
SHA1:	b1e420c460b8dd3d8fbcd5e1f0a14da833d6c05e
SHA256:	ca6e33cf72e210e9b8faaa354de8b2382fc5e2a163d9172802011f68983fccb0
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sample uses string decryption to hide its real strings

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Installs a raw input device (often for capturing keystrokes)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

23bGlBtTiX.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\23bGlBtTiX.exe" MD5: 4E14611A07AB337AC271117A19C3181E)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
23bGlBtTiX.exe	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1679030875.000001DAD1FDB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2990307355.000001DAD60C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: 23bGlBtTiX.exe PID: 6760	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.23bGlBtTiX.exe.1dad1fc2b43.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.23bGlBtTiX.exe.1dad3f14529.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.23bGlBtTiX.exe.1dad3f42f2d.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.0.23bGlBtTiX.exe.1dad3ee8325.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Sample uses string decryption to hide its real strings

Source: 23bGlBtTiX.exe	String decryptor: n%p
Source: 23bGlBtTiX.exe	String decryptor: =O-
Source: 23bGlBtTiX.exe	String decryptor: 8?^
Source: 23bGlBtTiX.exe	String decryptor: <BW
Source: 23bGlBtTiX.exe	String decryptor: ws\|
Source: 23bGlBtTiX.exe	String decryptor: w!:
Source: 23bGlBtTiX.exe	String decryptor: \|No
Source: 23bGlBtTiX.exe	String decryptor: B&'
Source: 23bGlBtTiX.exe	String decryptor: z`7
Source: 23bGlBtTiX.exe	String decryptor: +u
Source: 23bGlBtTiX.exe	String decryptor: =O-
Source: 23bGlBtTiX.exe	String decryptor: =O-
Source: 23bGlBtTiX.exe	String decryptor: dL- _,
Source: 23bGlBtTiX.exe	String decryptor: dL-

Source: 23bGlBtTiX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/src/Nito.AsyncEx.Coordination/obj/Release/net461/Nito.AsyncEx.Coordination.pdbSHA256{ source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/MahApps.Metro.SimpleChildWindow/obj/Release/net47/MahApps.Metro.SimpleChildWindow.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: RayCarrot.RCP.Metro.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/src/MahApps.Metro/obj/Release/net47/MahApps.Metro.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Users\RibShark\Documents\Projects\rayman3-input-fix\Release\dinput8.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/src/Nito.Collections.Deque/obj/Release/net461/Nito.Collections.Deque.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Dev\RayCarrot\RCP_Metro\RayCarrot.RCP.Metro\src\RayCarrot.RCP.Uninstaller\obj\Release\RayCarrot.RCP.Uninstaller.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: RayCarrot.RCP.Metro.pdbMPDB source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Paulo\Projetos\WPF-AutoComplete-TextBox\AutoCompleteTextBox\AutoCompleteTextBox\obj\Release\net472\AutoCompleteTextBox.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3124879805.000001DAEEEB0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD6065000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\Magick.Native\Magick.Native\src\Magick.Native\bin\ReleaseQ8\x64\Magick.Native-Q8-x64.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3635000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3689000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/Nito.Collections.Deque/obj/Release/net461/Nito.Collections.Deque.pdbSHA256;@ source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\Magick.Native\Magick.Native\src\Magick.Native\bin\ReleaseQ8\x64\Magick.Native-Q8-x64.pdb' source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3635000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3689000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/Nito.AsyncEx.Coordination/obj/Release/net461/Nito.AsyncEx.Coordination.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/ControlzEx/obj/Release/net462/ControlzEx.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988245314.000001DAD4770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dinput.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256: source: 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Paulo\Projetos\WPF-AutoComplete-TextBox\AutoCompleteTextBox\AutoCompleteTextBox\obj\Release\net472\AutoCompleteTextBox.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.3124879805.000001DAEEEB0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD6065000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\Microsoft.Xaml.Behaviors\obj\Release\net462\Microsoft.Xaml.Behaviors.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3125044472.000001DAEEEC0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6FFE000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE7026000.00000004.00000800.00020000.00000000.sdmp

Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_GOG.zipVhttps://raym.app/rcp/featured_gb_mods.jsoncnhttps://github.com/RayCarrot/Rayman-Control-Panel-MetroFhttps://www.youtube.com/c/RayCarrot:https://twitter.com/RayCarrot@mailto:RayCarrotMaster@gmail.comhhttps://steamcommunity.com/groups/RaymanControlPanel equals www.twitter.com (Twitter)
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_GOG.zipVhttps://raym.app/rcp/featured_gb_mods.jsoncnhttps://github.com/RayCarrot/Rayman-Control-Panel-MetroFhttps://www.youtube.com/c/RayCarrot:https://twitter.com/RayCarrot@mailto:RayCarrotMaster@gmail.comhhttps://steamcommunity.com/groups/RaymanControlPanel equals www.youtube.com (Youtube)

Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF359F000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD35F3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.css
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF359F000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD35F3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://.jpg
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Buttons.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.ComboBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.ListBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Scrollbars.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Shared.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.TabControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.TextBlock.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Styles/Controls.TextBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorCanvas.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorCanvas.xaml0
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorComponentSlider.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorEyeDropper.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorPalette.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorPicker.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ContentControlEx.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/Dialogs/BaseMetroDialog.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/HamburgerMenu.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/HamburgerMenuTemplate.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/HotKeyBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroContentControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroHeader.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroProgressBar.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroTabControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroTabItem.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/MetroWindow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/NumericUpDown.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/Pivot.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ProgressRing.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/RangeSlider.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/SplitButton.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/SplitView.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/Thumb.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/Tile.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/ToggleSwitch.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/TransitioningContentControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/WindowButtonCommands.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/Themes/WindowCommands.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.blue.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.cyan.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.emerald.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.green.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.green.xaml0
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.indigo.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.lime.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.magenta.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.olive.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.orange.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.purple.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.red.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.sienna.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.steel.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.taupe.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.teal.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.violet.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.yellow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.cyan.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.emerald.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.green.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.indigo.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.magenta.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.mauve.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.pink.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.red.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.sienna.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.steel.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.taupe.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.teal.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.violet.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://defaultcontainer/MahApps.Metro;component/styles/themes/light.yellow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Styles/Controls.ListBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ColorPicker/ColorCanvas.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ColorPicker/ColorComponentSlider.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ColorPicker/ColorEyeDropper.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ColorPicker/ColorPalette.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ColorPicker/ColorPicker.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ContentControlEx.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/Dialogs/BaseMetroDialog.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/HamburgerMenu.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/HamburgerMenuTemplate.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/HotKeyBox.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroAnimatedTabControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroContentControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroHeader.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroProgressBar.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroTabControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroTabItem.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/MetroWindow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/NumericUpDown.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/Pivot.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ProgressRing.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/RangeSlider.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/SplitButton.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/SplitView.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/Thumb.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/Tile.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/ToggleSwitch.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/TransitioningContentControl.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/WindowButtonCommands.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/Themes/WindowCommands.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/controls.listbox.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/controls.listbox.baml0
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.blue.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.cyan.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.emerald.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.green.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.indigo.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.lime.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.magenta.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.olive.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.orange.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.purple.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.red.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.sienna.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.steel.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.taupe.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.teal.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.violet.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/dark.yellow.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.cyan.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.emerald.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.green.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.indigo.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.magenta.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.mauve.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.pink.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.red.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.sienna.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.steel.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.taupe.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.teal.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.violet.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/styles/themes/light.yellow.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/colorpicker/colorcanvas.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/colorpicker/colorcomponentslider.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/colorpicker/coloreyedropper.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/colorpicker/colorpalette.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/colorpicker/colorpicker.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/contentcontrolex.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/dialogs/basemetrodialog.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/hamburgermenu.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/hamburgermenutemplate.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/hotkeybox.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metroanimatedtabcontrol.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metrocontentcontrol.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metroheader.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metroprogressbar.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metrotabcontrol.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metrotabitem.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/metrowindow.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/numericupdown.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/pivot.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/progressring.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/rangeslider.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/splitbutton.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/splitview.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/thumb.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/tile.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/toggleswitch.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/transitioningcontentcontrol.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/windowbuttoncommands.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/bar/themes/windowcommands.baml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.blue.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.blue.xaml0
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.cyan.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.emerald.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.green.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.indigo.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.lime.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.magenta.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.olive.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.orange.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.purple.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.red.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.sienna.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.steel.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.taupe.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.teal.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.violet.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/dark.yellow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.cyan.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.emerald.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.green.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.indigo.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.magenta.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.mauve.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.pink.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.red.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.sienna.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.steel.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.taupe.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.teal.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.violet.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo/styles/themes/light.yellow.xaml
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF359F000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD35F3000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF30A9000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD30FD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://medical.nema.org/.
Source: 23bGlBtTiX.exe	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/controls
Source: 23bGlBtTiX.exe	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/iconpacks
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6EEC000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6B3D000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/shared
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6EEC000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://metro.mahapps.com/winfx/xaml/simplechildwindow
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 23bGlBtTiX.exe	String found in binary or memory: http://wpfcontrols.com/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD317E000.00000002.00000001.01000000.00000003.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF312A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF312A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.libpng.org/
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF312A000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.libpng.org/pub/mng/
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF30A9000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD30FD000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.smtpe.org
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aka.ms/toolkit/dotnet
Source: 23bGlBtTiX.exe, 00000000.00000002.3246833523.00007FFDF37F3000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://efg2.com/Lab/Library/ImageProcessing/DHALF.TXT
Source: 23bGlBtTiX.exe, 00000000.00000002.3246833523.00007FFDF37F3000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://fho-emden.de/~hoffmann/hilb010101.pdf
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamebanana.com/apiv11/Game/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamebanana.com/apiv11/Mod/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamebanana.com/apiv11/Mod/Multi?_csvRowIds=
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamebanana.com/mods/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/RaymanGardenPlus/622289
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/Rayman_ReDesigner/539216
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/Rayman_ReDesigner/539216dhttps://gamejolt.com/games/dreamersboundary/5075
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/Rayman_The_Dark_Magicians_Reign_of_terror/237701
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/Rayman_The_Dark_Magicians_Reign_of_terror/237701YRayman
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/dreamersboundary/507525GRayman
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/globoxmoment/428585
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/globoxmoment/428585#Globox
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/rayman_bowling_2/532563
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/rayman_bowling_2/532563)Rayman
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://gamejolt.com/games/raymanredemption/340532
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/CommunityToolkit/dotnet
Source: 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/ControlzEx/ControlzEx
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/ControlzEx/ControlzEx0
Source: 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD5FF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/MahApps/MahAp
Source: 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/MahApps/MahApps.Metro.git
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/MahApps/MahApps.Metro0
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/NLog/NLog.git
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/RayCarrot/RayCarrot.RCP.Metro/wiki/Mod-LoaderCConverting
Source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/StephenCleary/AsyncEx
Source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/StephenCleary/AsyncEx5
Source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/StephenCleary/Deque
Source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/StephenCleary/Deque2
Source: 23bGlBtTiX.exe, 00000000.00000002.2988245314.000001DAD4770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
Source: 23bGlBtTiX.exe, 00000000.00000002.2988245314.000001DAD4770000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
Source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: 23bGlBtTiX.exe, 00000000.00000002.3125044472.000001DAEEEC0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6FFE000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE7026000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/microsoft/XamlBehaviorsWpf
Source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/punker76/MahApps.Metro.SimpleChildWindow
Source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/punker76/MahApps.Metro.SimpleChildWindow.git
Source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/punker76/MahApps.Metro.SimpleChildWindow.gitT
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3218000.00000002.00000001.01000000.00000003.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF31C3000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://gitlab.gnome.org/GNOME/glib/issues/new
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3218000.00000002.00000001.01000000.00000003.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF31C3000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://gitlab.gnome.org/GNOME/glib/issues/newD:
Source: magick.native-q8-x64.dll.0.dr	String found in binary or memory: https://imagemagick.org
Source: 23bGlBtTiX.exe, 00000000.00000002.3246833523.00007FFDF37F3000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagemagick.org/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://imagemagick.org/0
Source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3005000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD2BA7000.00000002.00000001.01000000.00000003.sdmp, magick.native-q8-x64.dll.0.dr	String found in binary or memory: https://imagemagick.orgsoftwareThumb::Image::WidthThumb::Image::HeightThumb::Document::Pages
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nlog-project.org/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/maps/2https://raym.app/maps_r1/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/maps/?mode=
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/maps_r1/?mode=
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/ray1editor/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/RCP_Metro_Manifest.json
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/Xhttps://raym.app/rcp/RCP_Metro_Manifest.json
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/featured_gb_mods.jsoncILoading
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/news.json
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/news.jsonLhttps://raym.app/rcp/resources/12.0.0/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_1.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_2.zip7Rayman3_Demo_20021210_Win32
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_3.zip7Rayman3_Demo_20030108_Win32
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_4.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_5.zip7Rayman3_Demo_20030129_Win32
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/RRR_Demo.zip3RaymanRavingRabbids_Win32
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_1_Demo_1.zip7Rayman1_Demo_19960215_MsDos
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_1_Demo_2.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_1_Demo_3.zip7Rayman1_Demo_19951207_MsDos
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_2_Demo_1.zip)BinData
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_2_Demo_2.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_Gold_Demo.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_Gold_Demo.zip~https://raym.app/rcp/resources/12.0
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/demos/Rayman_M_Demo.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/games/PrintStudio1.zipyhttps://raym.app/rcp/resources/12.0.0/g
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.zipORaymanRavingRabbids_Demo
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.ziprhttps://raym.app/rcp/res
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/games/Ray1Minigames.zip7Rayman2_Demo_19990818_Win32
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_GOG.zip)Invalid
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_GOG.zipVhttps://raym.app/rcp/featured_gb_
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_Steam.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/Vhttps://raym.app/rcp/resources/12.0.0/mods/Xhttps:/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/CompleteOST.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/CompleteOST.zip/Replacing
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/IncompleteOST.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/TPLS.zipIThe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/CLIENT.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/RAYRUN.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/STARTUP.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/al/MAPPER.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/fr/MAPPER.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/us/MAPPER.EXE
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/ro/Updater.zip
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://raym.app/rcp/resources/12.0.0/utilities/ro/Updater.zip1RaymanOriginspc_1.02.exe-Downloading
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/groups/RaymanControlPanel
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://steamcommunity.com/groups/RaymanControlPanel/discussions/0/1812044473314212117/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.steampowered.com/app/?https://steamcommunity.com/app/%steam://rungameid/
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://store.ubisoft.com/game?pid=
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gog.com/game/rayman_2_the_great_escape
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gog.com/game/rayman_3_hoodlum_havoc
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gog.com/game/rayman_forever3GameDisplay_PurchaseUplay
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gog.com/game/rayman_origins
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.gog.com/game/rayman_raving_rabbids
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.google.com/s2/favicons?domain=-Getting
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore

Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: DirectInput8Create called.

memstr_109c4676-8

Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: ARegisterRawInputDevices

memstr_4ca13a1f-5

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B899BA0	0_2_00007FFD9B899BA0
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B897E49	0_2_00007FFD9B897E49
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B890548	0_2_00007FFD9B890548
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B89BAA1	0_2_00007FFD9B89BAA1
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B89C7E0	0_2_00007FFD9B89C7E0

Source: 23bGlBtTiX.exe

Static PE information: No import functions for PE file found

Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameControlzEx.dll6 vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMahApps.Metro.dll< vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMahApps.Metro.dll< vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _originalFileName vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll8 vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameControlzEx.dll6 vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Bcl.AsyncInterfaces.dll@ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3246833523.00007FFDF37F3000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: OriginalFilenameMagick.Native< vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: _originalFileName vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll8 vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRayCarrot.RCP.Updater.exe^ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRayCarrot.RCP.Uninstaller.exeT vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDInput.dllj% vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3125044472.000001DAEEEC0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.DependencyInjection.dll@ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMagick.Native< vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRayCarrot.RCP.Metro.resources.dllL vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6FFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNito.Collections.Deque.dllN vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNito.AsyncEx.Coordination.dllT vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3124879805.000001DAEEEB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoCompleteTextBox.dllH vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.DependencyInjection.dll@ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: _originalFileName vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNLog.dll8 vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000000.1711444485.000001DAD4306000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRayCarrot.RCP.Metro.exeJ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMahApps.Metro.dll< vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2988245314.000001DAD4770000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Tasks.Extensions.dllT vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Extensions.DependencyInjection.Abstractions.dll@ vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCommunityToolkit.Mvvm.dllN vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMahApps.Metro.SimpleChildWindow.dll` vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD6065000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAutoCompleteTextBox.dllH vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE7026000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Xaml.Behaviors.dllR vs 23bGlBtTiX.exe
Source: 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameControlzEx.dll6 vs 23bGlBtTiX.exe

Source: classification engine

Classification label: mal48.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Mutant created: \Sessions\1\BaseNamedObjects\Costura0356CB2390ED0D212B1CEB25ED194726
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\b2de6d50-e70b-47c4-bef0-471de28816d0

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

File created: C:\Users\user\AppData\Local\Temp\Costura

Jump to behavior

Source: 23bGlBtTiX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 23bGlBtTiX.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 23bGlBtTiX.exe	String found in binary or memory: Binstaller/installergifs/astro.gif
Source: 23bGlBtTiX.exe	String found in binary or memory: @installer/installergifs/cask.gif+
Source: 23bGlBtTiX.exe	String found in binary or memory: Binstaller/installergifs/chase.gifL
Source: 23bGlBtTiX.exe	String found in binary or memory: @installer/installergifs/glob.gif
Source: 23bGlBtTiX.exe	String found in binary or memory: Binstaller/installergifs/rodeo.gifj
Source: 23bGlBtTiX.exe	String found in binary or memory: Pui/controls/loadinghost/loadinghost.baml.
Source: 23bGlBtTiX.exe	String found in binary or memory: Nui/dialogs/addgames/addgamesdialog.baml7
Source: 23bGlBtTiX.exe	String found in binary or memory: Xui/dialogs/addgames/addgamesgamecontrol.baml8
Source: 23bGlBtTiX.exe	String found in binary or memory: lui/dialogs/gameclientssetup/addgameclientscontrol.baml9
Source: 23bGlBtTiX.exe	String found in binary or memory: (UI/Controls/LoadingHost/LoadingHost.xaml?

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

File read: C:\Users\user\Desktop\23bGlBtTiX.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: msctfui.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Section loaded: d3dcompiler_47.dll	Jump to behavior

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 23bGlBtTiX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 23bGlBtTiX.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 23bGlBtTiX.exe

Static file information: File size 51514368 > 1048576

Source: 23bGlBtTiX.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x30f2800

Source: 23bGlBtTiX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 23bGlBtTiX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: /_/src/Nito.AsyncEx.Coordination/obj/Release/net461/Nito.AsyncEx.Coordination.pdbSHA256{ source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/MahApps.Metro.SimpleChildWindow/obj/Release/net47/MahApps.Metro.SimpleChildWindow.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: RayCarrot.RCP.Metro.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/src/MahApps.Metro/obj/Release/net47/MahApps.Metro.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6820000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3114651832.000001DAEEA30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Users\RibShark\Documents\Projects\rayman3-input-fix\Release\dinput8.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/src/Nito.Collections.Deque/obj/Release/net461/Nito.Collections.Deque.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Dev\RayCarrot\RCP_Metro\RayCarrot.RCP.Metro\src\RayCarrot.RCP.Uninstaller\obj\Release\RayCarrot.RCP.Uninstaller.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: RayCarrot.RCP.Metro.pdbMPDB source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\Paulo\Projetos\WPF-AutoComplete-TextBox\AutoCompleteTextBox\AutoCompleteTextBox\obj\Release\net472\AutoCompleteTextBox.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3124879805.000001DAEEEB0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD6065000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\Magick.Native\Magick.Native\src\Magick.Native\bin\ReleaseQ8\x64\Magick.Native-Q8-x64.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3635000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3689000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/Nito.Collections.Deque/obj/Release/net461/Nito.Collections.Deque.pdbSHA256;@ source: 23bGlBtTiX.exe, 00000000.00000002.3113630486.000001DAEE9A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/NLog/obj/Release/net46/NLog.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/NLog/obj/Release/net46/NLog.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\Magick.Native\Magick.Native\src\Magick.Native\bin\ReleaseQ8\x64\Magick.Native-Q8-x64.pdb' source: 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3635000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3689000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.2988027071.000001DAD4740000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/src/Nito.AsyncEx.Coordination/obj/Release/net461/Nito.AsyncEx.Coordination.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3113392926.000001DAEE980000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/ControlzEx/obj/Release/net462/ControlzEx.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988245314.000001DAD4770000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/src/CommunityToolkit.Mvvm/obj/Release/netstandard2.0/CommunityToolkit.Mvvm.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988422510.000001DAD4930000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: dinput.pdb source: 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD21A7000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256: source: 23bGlBtTiX.exe, 00000000.00000002.2987761781.000001DAD46A0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: 23bGlBtTiX.exe, 00000000.00000002.2988185158.000001DAD4760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Paulo\Projetos\WPF-AutoComplete-TextBox\AutoCompleteTextBox\AutoCompleteTextBox\obj\Release\net472\AutoCompleteTextBox.pdbSHA256 source: 23bGlBtTiX.exe, 00000000.00000002.3124879805.000001DAEEEB0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.2988975888.000001DAD6065000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\src\Microsoft.Xaml.Behaviors\obj\Release\net462\Microsoft.Xaml.Behaviors.pdb source: 23bGlBtTiX.exe, 00000000.00000002.3125044472.000001DAEEEC0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6FFE000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE7026000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 23bGlBtTiX.exe, type: SAMPLE
Source: Yara match	File source: 0.0.23bGlBtTiX.exe.1dad1fc2b43.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.23bGlBtTiX.exe.1dad3f14529.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.23bGlBtTiX.exe.1dad3f42f2d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.23bGlBtTiX.exe.1dad3ee8325.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1679030875.000001DAD1FDB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2990307355.000001DAD60C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 23bGlBtTiX.exe PID: 6760, type: MEMORYSTR

Source: 23bGlBtTiX.exe

Static PE information: 0x818D346F [Tue Nov 16 10:07:43 2038 UTC]

Source: magick.native-q8-x64.dll.0.dr

Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B77D2A5 pushad ; iretd	0_2_00007FFD9B77D2A6
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B8A4BF7 push FFFFFFE8h; ret	0_2_00007FFD9B8A4BF9
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B897A78 pushad ; retf	0_2_00007FFD9B897C5D
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Code function: 0_2_00007FFD9B897C5E push eax; retf	0_2_00007FFD9B897C6D

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

File created: C:\Users\user\AppData\Local\Temp\Costura\0356CB2390ED0D212B1CEB25ED194726\64\magick.native-q8-x64.dll

Jump to dropped file

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Memory allocated: 1DAD4660000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Memory allocated: 1DAEE0C0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Costura\0356CB2390ED0D212B1CEB25ED194726\64\magick.native-q8-x64.dll

Jump to dropped file

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6351000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3113747204.000001DAEE9E0000.00000004.08000000.00040000.00000000.sdmp

Binary or memory string: Shell_TrayWnd-Shell_SecondaryTrayWndhwndthis

Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Users\user\Desktop\23bGlBtTiX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Controls.Ribbon\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Controls.Ribbon.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationClient\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\23bGlBtTiX.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\23bGlBtTiX.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Virtualization/Sandbox Evasion	21 Input Capture	1 Virtualization/Sandbox Evasion	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
23bGlBtTiX.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Costura\0356CB2390ED0D212B1CEB25ED194726\64\magick.native-q8-x64.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://foo/Themes/ColorPicker/ColorPalette.xaml	0%	Avira URL Cloud	safe
https://nlog-project.org/	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/WindowButtonCommands.xaml	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.emerald.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.blue.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/SplitButton.xaml	0%	Avira URL Cloud	safe
http://foo/bar/themes/splitview.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/controls.listbox.baml0	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.indigo.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/Rayman_2_Demo_2.zip	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorPalette.xaml	0%	Avira URL Cloud	safe
https://steamcommunity.com/groups/RaymanControlPanel/discussions/0/1812044473314212117/	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.mauve.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/styles/themes/light.violet.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/Pivot.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/TransitioningContentControl.xaml	0%	Avira URL Cloud	safe
http://foo/bar/themes/contentcontrolex.baml	0%	Avira URL Cloud	safe
http://foo/styles/themes/dark.violet.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/CLIENT.EXE	0%	Avira URL Cloud	safe
https://www.gog.com/game/rayman_3_hoodlum_havoc	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/styles/themes/light.mauve.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/utilities/Vhttps://raym.app/rcp/resources/12.0.0/mods/Xhttps:/	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.sienna.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/ToggleSwitch.xaml	0%	Avira URL Cloud	safe
http://foo/bar/themes/numericupdown.baml	0%	Avira URL Cloud	safe
http://foo/bar/themes/hamburgermenutemplate.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/light.sienna.baml	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.green.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/games/PrintStudio1.zipyhttps://raym.app/rcp/resources/12.0.0/g	0%	Avira URL Cloud	safe
http://foo/styles/themes/dark.teal.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/utilities/r1/CompleteOST.zip	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/Dialogs/BaseMetroDialog.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/Dialogs/BaseMetroDialog.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/MetroTabControl.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/ProgressRing.xaml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.purple.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.violet.baml	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.magenta.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_1.zip	0%	Avira URL Cloud	safe
https://gamejolt.com/games/globoxmoment/428585#Globox	0%	Avira URL Cloud	safe
https://github.com/punker76/MahApps.Metro.SimpleChildWindow.git	0%	Avira URL Cloud	safe
http://foo/Themes/SplitView.xaml	0%	Avira URL Cloud	safe
https://gamejolt.com/games/rayman_bowling_2/532563	0%	Avira URL Cloud	safe
http://foo/bar/themes/pivot.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/light.taupe.baml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/utilities/ro/Updater.zip1RaymanOriginspc_1.02.exe-Downloading	0%	Avira URL Cloud	safe
http://foo/bar/themes/tile.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.magenta.baml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_Steam.zip	0%	Avira URL Cloud	safe
https://gamebanana.com/apiv11/Mod/Multi?_csvRowIds=	0%	Avira URL Cloud	safe
http://foo/bar/themes/colorpicker/colorpicker.baml	0%	Avira URL Cloud	safe
https://www.gog.com/game/rayman_2_the_great_escape	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.taupe.baml	0%	Avira URL Cloud	safe
https://raym.app/maps/2https://raym.app/maps_r1/	0%	Avira URL Cloud	safe
http://foo/styles/themes/dark.purple.xaml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/light.indigo.baml	0%	Avira URL Cloud	safe
http://foo/bar/themes/metrowindow.baml	0%	Avira URL Cloud	safe
https://www.nuget.org/packages/NLog.Web.AspNetCore	0%	Avira URL Cloud	safe
http://foo/styles/themes/dark.yellow.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.emerald.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/HotKeyBox.xaml	0%	Avira URL Cloud	safe
http://foo/bar/themes/hamburgermenu.baml	0%	Avira URL Cloud	safe
http://foo/Themes/HamburgerMenuTemplate.xaml	0%	Avira URL Cloud	safe
https://gitlab.gnome.org/GNOME/glib/issues/new	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/Rayman_M_Demo.zip	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.emerald.baml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/ContentControlEx.xaml	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_4.zip	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.zipORaymanRavingRabbids_Demo	0%	Avira URL Cloud	safe
https://gamejolt.com/games/Rayman_ReDesigner/539216	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.teal.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Scrollbars.xaml	0%	Avira URL Cloud	safe
https://github.com/microsoft/XamlBehaviorsWpf	0%	Avira URL Cloud	safe
https://imagemagick.orgsoftwareThumb::Image::WidthThumb::Image::HeightThumb::Document::Pages	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.cyan.xaml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/light.mauve.baml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Shared.xaml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/dark.olive.baml	0%	Avira URL Cloud	safe
http://foo/bar/styles/themes/light.pink.baml	0%	Avira URL Cloud	safe
https://gamejolt.com/games/Rayman_The_Dark_Magicians_Reign_of_terror/237701YRayman	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/us/MAPPER.EXE	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/Rayman_1_Demo_2.zip	0%	Avira URL Cloud	safe
http://foo/styles/themes/light.red.xaml	0%	Avira URL Cloud	safe
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://imagemagick.org/0	0%	Avira URL Cloud	safe
http://foo/Themes/MetroWindow.xaml	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/ToggleSwitch.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/MetroHeader.xaml	0%	Avira URL Cloud	safe
https://efg2.com/Lab/Library/ImageProcessing/DHALF.TXT	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.ziprhttps://raym.app/rcp/res	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.lime.xaml	0%	Avira URL Cloud	safe
http://foo/Themes/RangeSlider.xaml	0%	Avira URL Cloud	safe
http://metro.mahapps.com/winfx/xaml/iconpacks	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/MetroWindow.xaml	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_3.zip7Rayman3_Demo_20030108_Win32	0%	Avira URL Cloud	safe
http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorEyeDropper.xaml	0%	Avira URL Cloud	safe
https://store.steampowered.com/app/?https://steamcommunity.com/app/%steam://rungameid/	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://foo/Themes/ColorPicker/ColorPalette.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/splitview.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.blue.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.emerald.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/Rayman_2_Demo_2.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/WindowButtonCommands.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/controls.listbox.baml0	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.indigo.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nlog-project.org/	23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/SplitButton.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorPalette.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/groups/RaymanControlPanel/discussions/0/1812044473314212117/	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/TransitioningContentControl.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.mauve.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/styles/themes/light.violet.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/CLIENT.EXE	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/contentcontrolex.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/dark.violet.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/Pivot.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.gog.com/game/rayman_3_hoodlum_havoc	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/styles/themes/light.mauve.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/utilities/Vhttps://raym.app/rcp/resources/12.0.0/mods/Xhttps:/	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.sienna.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/hamburgermenutemplate.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/games/PrintStudio1.zipyhttps://raym.app/rcp/resources/12.0.0/g	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/numericupdown.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.green.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/ToggleSwitch.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/light.sienna.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/dark.teal.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/utilities/r1/CompleteOST.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/Dialogs/BaseMetroDialog.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/Dialogs/BaseMetroDialog.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.violet.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/MetroTabControl.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.purple.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/ProgressRing.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.magenta.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_1.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://gamejolt.com/games/globoxmoment/428585#Globox	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/punker76/MahApps.Metro.SimpleChildWindow.git	23bGlBtTiX.exe, 00000000.00000002.3124632455.000001DAEEE90000.00000004.08000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/SplitView.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gamejolt.com/games/rayman_bowling_2/532563	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/light.taupe.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/pivot.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/tile.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/mods/rrr/RRR_Patched_Steam.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/utilities/ro/Updater.zip1RaymanOriginspc_1.02.exe-Downloading	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.magenta.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gamebanana.com/apiv11/Mod/Multi?_csvRowIds=	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.gog.com/game/rayman_2_the_great_escape	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/maps/2https://raym.app/maps_r1/	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/metrowindow.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.taupe.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/dark.purple.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/colorpicker/colorpicker.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.nuget.org/packages/NLog.Web.AspNetCore	23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6DE4000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3110914267.000001DAEE890000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE60C8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/light.indigo.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/dark.yellow.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.emerald.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/HotKeyBox.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/themes/hamburgermenu.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gitlab.gnome.org/GNOME/glib/issues/new	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD3218000.00000002.00000001.01000000.00000003.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF31C3000.00000002.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/Rayman_M_Demo.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_4.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.zipORaymanRavingRabbids_Demo	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/HamburgerMenuTemplate.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/ContentControlEx.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.emerald.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gamejolt.com/games/Rayman_ReDesigner/539216	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.teal.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Scrollbars.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/microsoft/XamlBehaviorsWpf	23bGlBtTiX.exe, 00000000.00000002.3125044472.000001DAEEEC0000.00000004.08000000.00040000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE6FFE000.00000004.00000800.00020000.00000000.sdmp, 23bGlBtTiX.exe, 00000000.00000002.3058157758.000001DAE7026000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imagemagick.orgsoftwareThumb::Image::WidthThumb::Image::HeightThumb::Document::Pages	23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF3005000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD2BA7000.00000002.00000001.01000000.00000003.sdmp, magick.native-q8-x64.dll.0.dr	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/light.mauve.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.cyan.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/dark.olive.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/bar/styles/themes/light.pink.baml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Styles/Controls.Shared.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gamejolt.com/games/Rayman_The_Dark_Magicians_Reign_of_terror/237701YRayman	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/Rayman_1_Demo_2.zip	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/utilities/r1/raykit/us/MAPPER.EXE	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/styles/themes/light.red.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imagemagick.org/0	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://html4/loose.dtd	23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF359F000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD35F3000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/ToggleSwitch.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://efg2.com/Lab/Library/ImageProcessing/DHALF.TXT	23bGlBtTiX.exe, 00000000.00000002.3246833523.00007FFDF37F3000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/MetroWindow.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/MetroHeader.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/games/RavingRabbidsActivityCenter.ziprhttps://raym.app/rcp/res	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/styles/themes/dark.lime.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6B09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://foo/Themes/RangeSlider.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://metro.mahapps.com/winfx/xaml/iconpacks	23bGlBtTiX.exe	false	Avira URL Cloud: safe	unknown
https://raym.app/rcp/resources/12.0.0/demos/R3_Demo_3.zip7Rayman3_Demo_20030108_Win32	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://.css	23bGlBtTiX.exe, 00000000.00000002.3214981273.00007FFDF359F000.00000002.00000001.01000000.00000006.sdmp, 23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD35F3000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/app/?https://steamcommunity.com/app/%steam://rungameid/	23bGlBtTiX.exe, 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/ColorPicker/ColorEyeDropper.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://defaultcontainer/MahApps.Metro;component/Themes/MetroWindow.xaml	23bGlBtTiX.exe, 00000000.00000002.2990307355.000001DAD6109000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1446918
Start date and time:	2024-05-24 01:03:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	23bGlBtTiX.exe renamed because original name is a hash value
Original Sample Name:	ca6e33cf72e210e9b8faaa354de8b2382fc5e2a163d9172802011f68983fccb0.exe
Detection:	MAL
Classification:	mal48.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 54% Number of executed functions: 14 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
VT rate limit hit for: 23bGlBtTiX.exe

Process:	C:\Users\user\Desktop\23bGlBtTiX.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	23137624
Entropy (8bit):	6.57670120569104
Encrypted:	false
SSDEEP:	393216:uHOhioP3FFY0cOFqklODLpnZI4OSQH5dZCfBf1N:d1HK
MD5:	6CAC0019D5F953791E171E57EA8F4E7C
SHA1:	3EE0AE90971A319BEE12B9BBE6D7587B7C8F923B
SHA-256:	33D66978194CBF759E262A32B83F62E0E7185483824555998B3A9994D2E8B619
SHA-512:	7A0C5805DDEF633E522EBB64772C62FB74F7BF35275AB3635FF3B6D0BA55C1CB5F6CB269B5A1ABFA5DA748EA82BCC71225F0BC6EF8B074BB8CBB0C450E8F5324
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.........M...#...#...#... ...#...&.K.#......#...&..#...'...#... ...#...'...#... ...#...#...#...'.j.#...&..#..."...#..."...#...*...#...#...#......#.......#...!...#.Rich..#.........................PE..d...`.oe.........." ...%.:..........,.)......................................@g.....&.a...`.........................................p5O.\|b...O.......d.0z...0\.4f....`.X7...0f.P....vB.T....................wB.(...puB.@............P...............................text....9.......:.................. ..`.rdata...pr..P...rr..>..............@..@.data...H]....O..<....O.............@....pdata..4f...0\..h....U.............@..@_RDATA..0.....d......T^.............@..@.rsrc...0z....d..\|...X^.............@..@.reloc..P....0f......._.............@..B........................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.394807966041646
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	23bGlBtTiX.exe
File size:	51'514'368 bytes
MD5:	4e14611a07ab337ac271117a19c3181e
SHA1:	b1e420c460b8dd3d8fbcd5e1f0a14da833d6c05e
SHA256:	ca6e33cf72e210e9b8faaa354de8b2382fc5e2a163d9172802011f68983fccb0
SHA512:	6dfeafc0e260bd1d081ac6a3422f2c0d35d88c173391acab097eb672fddb5ee1b8366aee713c6dacea50b6f7714a4158142a729b981fffb1fe1efa2f26890110
SSDEEP:	393216:LwZs2PWABsKi/W8Bs/md6sJZRbfnA3yt1lpoixFHOhioP3FFY0cOFqklODLpnZIl:MZGdO8BsOMsVICNpu1HKNLy70goW41
TLSH:	A7B7E101B3E404E9E1B7C534DA766613EB71B89A077187EF269485ED2F27BD0293B312
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...o4............"...0..(............... ....@...... .......................`............`...@......@............... .....

File Icon


Icon Hash:	8f2d317127b2cacc

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x818D346F [Tue Nov 16 10:07:43 2038 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x30f6000	0x2e0f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30648c4	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x30f2788	0x30f2800	43659fe9169faa25ba3305ea011a82b7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x30f6000	0x2e0f0	0x2e200	1e36ebd4dbe4034fd6feb8a3990dc3e5	False	0.7380430640243902	data	6.864365166574471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x30f61a0	0x15359	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.998353918939141
RT_ICON	0x310b50c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5904 x 5904 px/m	0.4873417721518987
RT_ICON	0x311bd44	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5904 x 5904 px/m	0.5686112423240435
RT_ICON	0x311ff7c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5904 x 5904 px/m	0.5997925311203319
RT_ICON	0x3122534	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5904 x 5904 px/m	0.650328330206379
RT_ICON	0x31235ec	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5904 x 5904 px/m	0.7606382978723404
RT_GROUP_ICON	0x3123a64	0x5a	Targa image data - Map 32 x 21337 x 1 +1	0.7777777777777778
RT_VERSION	0x3123ad0	0x41e	data	0.4222011385199241
RT_MANIFEST	0x3123f00	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Target ID:	0
Start time:	19:04:04
Start date:	23/05/2024
Path:	C:\Users\user\Desktop\23bGlBtTiX.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\23bGlBtTiX.exe"
Imagebase:	0x1dad1210000
File size:	51'514'368 bytes
MD5 hash:	4E14611A07AB337AC271117A19C3181E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1679030875.000001DAD1FDB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2990307355.000001DAD60C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1679030875.000001DAD41D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1679030875.000001DAD37D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B899BA0 Relevance: 1.9, Strings: 1, Instructions: 673
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

6M_H, xrefs: 00007FFD9B89EE73

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID: 6M_H
API String ID: 0-3378704075
Opcode ID: a22540c615d33b5e15bfe8da8895c2f059efef3d3261ba6ca00d2c6ab0490ad7
Instruction ID: b2c8b825f9cff0846de29f05b9de865d66d893ad655ae2dfee4fe4853cc52d86
Opcode Fuzzy Hash: a22540c615d33b5e15bfe8da8895c2f059efef3d3261ba6ca00d2c6ab0490ad7
Instruction Fuzzy Hash: E522F330B19A4D8FEBA8DB5CC8656B87BE1EF58310F1141BAD04DC76A2DE34BD468B41

Function 00007FFD9B890548 Relevance: 1.7, Strings: 1, Instructions: 456
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_, xrefs: 00007FFD9B8B0839

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 039b2e2f2daede70b2b5586f189ccd335b781e0239ecc27f2d2e1d4261629726
Instruction ID: 53b417aaf4937689643dd665673cb60604d13c7c0fd8cb296174709d632e2147
Opcode Fuzzy Hash: 039b2e2f2daede70b2b5586f189ccd335b781e0239ecc27f2d2e1d4261629726
Instruction Fuzzy Hash: 08D12763B1F6EA8FE722577D98B50E53BA0EF5666070A40B7C0C5CB0A3E9156906CBC1

Function 00007FFD9B897E49 Relevance: 1.5, Strings: 1, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

I, xrefs: 00007FFD9B897F59, 00007FFD9B897FF7, 00007FFD9B898095

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID: I
API String ID: 0-1966777607
Opcode ID: dd8f109b2b234a49044a3cc86f602a0bfd341ee60e73230093ab1ce2178027ec
Instruction ID: 98c2f2e4eb70ef63eb1f301ff62ffa99380e799646936bf5e0dcbc4af3f498bd
Opcode Fuzzy Hash: dd8f109b2b234a49044a3cc86f602a0bfd341ee60e73230093ab1ce2178027ec
Instruction Fuzzy Hash: 12815A61B0EA8E0BEF29DB6858264B97FC2EF99754B0902BDD449D71A2DD2469038380

Function 00007FFD9B89244C Relevance: 1.6, APIs: 1, Instructions: 128
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 00007FFD9B892504

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a7b99e8bc02880469e8d0b8fb8e84264114b86a5e60251e294aa83ab333bb332
Instruction ID: 60fca6292bf02bb7986dd25f8461e5bda05aa15ca4a57a0b58485da1b8b56698
Opcode Fuzzy Hash: a7b99e8bc02880469e8d0b8fb8e84264114b86a5e60251e294aa83ab333bb332
Instruction Fuzzy Hash: 8631F531A0CB484FDB2DDF989855AF97BF0EF5A311F04426FD04AD3692DB74A8068791

Function 00007FFD9B89236A Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00007FFD9B892414

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 993b45fce80faa7726045fce68e698a184e053bfde93ad5aab6c8e2cded4267b
Instruction ID: 40f4c872d6b1bfd884937e4cabb6ca2a805c64384c918b6ff7ca722e35ab3852
Opcode Fuzzy Hash: 993b45fce80faa7726045fce68e698a184e053bfde93ad5aab6c8e2cded4267b
Instruction Fuzzy Hash: 61312431A0DA4C9FEB1DDF9988456E8BBE0FF59310F00416FC059C32A2DB75A806CB81

Function 00007FFD9B77E330 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

sk;, xrefs: 00007FFD9B77E3C6

Memory Dump Source

Source File: 00000000.00000002.3139865579.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b77d000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID: sk;
API String ID: 0-1256885303
Opcode ID: 206e5b94f8591b755d66267cfed0b2861549e268e8216f333139d482d3deff26
Instruction ID: f32ff191e6c4c4869bc28218bdb11073cabc6235025fe2571a000aeca4415d38
Opcode Fuzzy Hash: 206e5b94f8591b755d66267cfed0b2861549e268e8216f333139d482d3deff26
Instruction Fuzzy Hash: F641177150EBC44FE7568B3998959623FF0EF47320B1606EFD088CB1B3D665A846C7A2

Function 00007FFD9BBA1D1D Relevance: .7, Instructions: 742COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931700a536a4549b1eed8ff797d90b3025152105fb0e756be771876349837e11
Instruction ID: 2480b9bd2022bdb8ab53e66bb95ca0e8ac96640bacc54d4f1d84ef03bcb807fc
Opcode Fuzzy Hash: 931700a536a4549b1eed8ff797d90b3025152105fb0e756be771876349837e11
Instruction Fuzzy Hash: 08423831E0E78A4EE7B99A9488615BD3BD1FF95308F05057ED48DC75E3ED186A0AC382

Function 00007FFD9BBA0ED0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a997bdc1be989949e00ea7e06f7d556b9403227f532afc60fda094ce930ecc
Instruction ID: e76afcb70866bddbff4fb62ee4ef79f15afd260147f9b08756d76abfc91f8457
Opcode Fuzzy Hash: 71a997bdc1be989949e00ea7e06f7d556b9403227f532afc60fda094ce930ecc
Instruction Fuzzy Hash: 86C1D335F0EA4E0FEBA8EB688422AB973D1FF45714F45017DD45EC31E2DE29A9028781

Function 00007FFD9BBA1EE9 Relevance: .4, Instructions: 405COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd8dd318fcd74d23a65d06cb91a8b305c7de4056a906acd118677889e619032
Instruction ID: 1e1232f6a54856341cc575f075a4f54d8022747063fe4bc84a5d21502a942f25
Opcode Fuzzy Hash: bbd8dd318fcd74d23a65d06cb91a8b305c7de4056a906acd118677889e619032
Instruction Fuzzy Hash: 6CD10A71E0E78A4FEB769B9488615B93BE1FF55308F0505BED44CC74E3FA189A0A8781

Function 00007FFD9BBA14E9 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0c7f2fafac0ee7903fa8b322528604375e760a196dbcb0f6cdb60d7d7b6884
Instruction ID: 3e47d44dc77b43473c54859d3e32bebc1e334ed1bca249cd71e084e6526ef35a
Opcode Fuzzy Hash: 9c0c7f2fafac0ee7903fa8b322528604375e760a196dbcb0f6cdb60d7d7b6884
Instruction Fuzzy Hash: 28418710B19E594FEBD5A77C44322B827D2EF8E744B5A41F9E44DC72E7DD18AE014381

Function 00007FFD9BBA0060 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1809f4d892a60576acf4a54f0cf3a65f63cc1a6f9f7a707d4f629ffa863c354
Instruction ID: 03a3f4dba45beaf835f36c4dcf6c3c31711fe70534100bac2ea9436acfed690b
Opcode Fuzzy Hash: f1809f4d892a60576acf4a54f0cf3a65f63cc1a6f9f7a707d4f629ffa863c354
Instruction Fuzzy Hash: EE416A71E08A4C8FDB98DF98D855BE9BBF1FB99310F00416ED00ED7291DA74A985CB81

Function 00007FFD9BBA16DD Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64043b8c86e72122e4297242d57b5ff792bcddb0a23d4d76d47e27e35f03caa3
Instruction ID: 93036c065fefe230ec15a073c9da5406054504494f306b71d45c2bfd44c9ec0d
Opcode Fuzzy Hash: 64043b8c86e72122e4297242d57b5ff792bcddb0a23d4d76d47e27e35f03caa3
Instruction Fuzzy Hash: 31310430B1DA894FD799DB388864A6577E1FF9A308B1541BAD04ECB2D6CD28BC45C301

Function 00007FFD9BBA12A6 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aafae4134b863b75d0e127533bc473390690cb2728af933b2f25ab319ae9cf40
Instruction ID: cd65dbcbc9d451c39c854bf209266b824bcf954c6d087d03ace3d5942b806a95
Opcode Fuzzy Hash: aafae4134b863b75d0e127533bc473390690cb2728af933b2f25ab319ae9cf40
Instruction Fuzzy Hash: 5FF0375094FBC60FE71353B50C2A6957F919E131A8F4E02EAD494CA1F3E88D959AC362

Function 00007FFD9BBA12E0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3153702589.00007FFD9BBA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BBA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9bba0000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7382dbad28d9deb0cc71bafbefa37d1d59dbc58eebe4f386af4a05a4a0a6b000
Instruction ID: 3fc61935c5a4b9369705b46d238f3d7cf66ce59d5f9d5e488c405ae14022cfcc
Opcode Fuzzy Hash: 7382dbad28d9deb0cc71bafbefa37d1d59dbc58eebe4f386af4a05a4a0a6b000
Instruction Fuzzy Hash: CDB09244E17D1F00E96C32A609720B62080AF4A259FC60279A808C40D6E80CD6ED81A2

Non-executed Functions

Function 00007FFD9B89BAA1 Relevance: 2.8, Strings: 2, Instructions: 309COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FFD9B89BCDD
gfff, xrefs: 00007FFD9B89BCC8

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID: gfff$gfff
API String ID: 0-3084402119
Opcode ID: 533a0b2ef962eaf6c9903d32da585e128168e4e418f3551fb5ff7a2031f1994c
Instruction ID: ff9dbfaa6d94f7d91f19fc4b47d59167c3c645c4dac955cb59861100ffe475ce
Opcode Fuzzy Hash: 533a0b2ef962eaf6c9903d32da585e128168e4e418f3551fb5ff7a2031f1994c
Instruction Fuzzy Hash: 08910430B1D7494FD758DB18985267ABBD5FF89704F11417DE48BC72A6CE28F8428782

Function 00007FFD9B89C7E0 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3140749467.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b890000_23bGlBtTiX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58cf145dfbc96966c6b1edc565a66af54e270c8547f8fc6b32eb3a030282ed6
Instruction ID: 69fa57a4fc7eed529c3173620a6fe8b92c16bea5f54e1c8aff89f8258e9b5cfe
Opcode Fuzzy Hash: e58cf145dfbc96966c6b1edc565a66af54e270c8547f8fc6b32eb3a030282ed6
Instruction Fuzzy Hash: 74F14A71B1EB894FEB6DDB6888265797FD1EF5A310F0505BED489C71A3ED24A8028342

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 23bGlBtTiX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Costura\0356CB2390ED0D212B1CEB25ED194726\64\magick.native-q8-x64.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 23bGlBtTiX.exePID: 6760, Parent PID: 2580

General

Chronological Activities

Disassembly

Windows Analysis Report
23bGlBtTiX.exe

Function 00007FFD9B899BA0 Relevance: 1.9, Strings: 1, Instructions: 673
COMMON

Function 00007FFD9B890548 Relevance: 1.7, Strings: 1, Instructions: 456
COMMON

Function 00007FFD9B897E49 Relevance: 1.5, Strings: 1, Instructions: 287
COMMON

Function 00007FFD9B89244C Relevance: 1.6, APIs: 1, Instructions: 128
libraryCOMMON

Function 00007FFD9B89236A Relevance: 1.6, APIs: 1, Instructions: 112
COMMON