Windows Analysis Report
Authenticator.exe

Overview

General Information

Sample name:	Authenticator.exe
Analysis ID:	1502364
MD5:	b7aa705ae0273c87a7af8c79f47247d2
SHA1:	6b4993e818a6751a99e7d653472e259e6cab5c70
SHA256:	01db4e69578d9b424087b90550463a1a1ce88e36f77050fc443d3b6b50b85b23
Tags:	exe
Infos:

Detection

RedLine

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected RedLine Stealer

AI detected suspicious sample

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Uses 32bit PE files

Source: Authenticator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Authenticator.exe

Static PE information: certificate valid

Source: Authenticator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp

Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry
Source: Authenticator.exe, 00000000.00000003.2343665752.00000000036D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/122474.
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/415315
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/415315.
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Authenticator.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
Source: Authenticator.exe	String found in binary or memory: https://auth.docker.com/
Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments-stage.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593166
Source: Authenticator.exe, 00000000.00000003.2343584143.0000000003714000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/787427.
Source: Authenticator.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.iohttps://notify.adobe.ioEnableDesktopNotificationlocaleEXPIRED%lldSync
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com(
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrn
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com0cW
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comEventSignalForNotiUpdaterUserMetaDataAdobe
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comKhttps://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comReadStatusH
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comX
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsFetch_AnnotsEurekaReviewFetch
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comemptyAnnotations
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdListp
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comsuspendcrequestupdateuoperateop:W
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/cloudprint/answer/2541843
Source: Authenticator.exe	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalid
Source: Authenticator.exe	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Authenticator.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/cloudprint#jobs

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896370901.0000000002F10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelpPane.exej% vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystemSettings.exej% vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64BitMAPIBroker.exeD vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exeH vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exeb! vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroBroker.exe~/ vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000000.1676393637.00000000020EF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exeH vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe< vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRLogTransport .exe6 vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogTransport2.exe0 vs Authenticator.exe
Source: Authenticator.exe	Binary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe

Uses 32bit PE files

Source: Authenticator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal45.troj.winEXE@1/0@0/0

Source: Authenticator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Authenticator.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select count(*) from SQLITE_MASTER where type = "table";
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;

Source: Authenticator.exe	String found in binary or memory: go_threadsres binderres masterresumptionexp masterconnectionuser-agentConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookiekeep-aliveequivalentHost: %s
Source: Authenticator.exe	String found in binary or memory: ... omitting ^#\\|\s+msgctxt.WithoutCancel.WithDeadline(.in-addr.arpa.unknown mode: protobuf_oneofXXX_OneofFuncsreserved_rangefield_presenceheap_sys_bytes\.+?()\|[]{}^$bad record MACcontent-lengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not AcceptableControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueW([a-f0-9]{64})document startsequence startadd_dir_headervault.azure.cnmime/multipartzero parameterprefix length not an ip:portinvalid PrefixRCodeNameErrorResourceHeaderSubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSprotobuf errorMessageOptionsServiceOptionsinvalid kind: XXX_extensionsInstEmptyWidthresourceGroups> closed by </Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODLABEL_OPTIONALLABEL_REPEATEDLABEL_REQUIREDEDITION_LEGACYEDITION_PROTO2EDITION_PROTO3StaticProvidercloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-\w+\-\d+$%s Channel #%dgrpc-trace-bintoo_many_pingsunknown ID: %vAuthInfo: '%s'show_sensitiveReservedRangesdtls fatal: %vRecordOverflowBadCertificatekey is invalidLOGGER_UNKNOWNformnovalidate$htmltemplate_ / %s */null failed to castunknown node: ApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;len of type %shttpt
Source: Authenticator.exe	String found in binary or memory: longer proceed.user arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goruntime.SetFinalizer: pointer not at beginning of allocated blockreflect: StructOf does not support methods of embedded interfacesx509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificateDesc{fqName: %q, help: %q, constLabels: {%s}, variableLabels: %v}tls: internal error: attempted to read record with QUIC transporttls: server selected an invalid version after a HelloRetryRequestnet/http: Transport.DialTLS or DialTLSContext returned (nil, nil)cryptobyte: pending child length %d exceeds %d-byte length prefixreceived context error while waiting for new LB policy update: %sxml: name %q in tag of %s.%s conflicts with name %q in %s.XMLNamenistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p256Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds valuenistec: internal error: p521Table called with out-of-bounds valuebinarylogging: message to log is neither proto.message nor []bytelast data directory entry is a reserved field, must be set to zerounable to query buffer size from InitializeProcThreadAttributeListdbus.Store: type mismatch: map: cannot store a value of %s into %sThere was an error processing the upload and it must be restarted.reflect: indirection through nil pointer to embedded struct field x509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typepkcs7: signing time %q is outside of certificate validity %q to %qNumber of heap bytes when next garbage collection will take place.tls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensioninternal error: attempted to parse unknown event (please report): If non-empty, use this log file (no effect when -logtostderr=true)If true, adds the file directory to the header of the log messagescryptobyte: high-tag number identifier octects not supported: 0x%xDescriptor.Options called without importing the descriptor packageCumulative sum of memory allocated to the heap by the application.base.baseBalancer: UpdateSubConnState(%v, %+v) called unexpectedlyreceived goaway with non-zero even-numbered numbered stream id: %vmetadata: Pairs got the odd number of input pairs for metadata: %dtls: server sent certificate containing RSA key larger than %d bitsServer retry pushback specified multiple values (%q); not retrying.field %v with invalid Mutable call on field with non-composite typeMemory that is used by the stack trace hash map used for profiling.base.baseBalancer: got state changes for an unknown SubConn: %p, %vtransport: cannot send secure credentials on an insecure connectionif non-empty, httptest.Ne
Source: Authenticator.exe	String found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
Source: Authenticator.exe	String found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
Source: Authenticator.exe	String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
Source: Authenticator.exe	String found in binary or memory: net/addrselect.go
Source: Authenticator.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Authenticator.exe	String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go

Source: C:\Users\user\Desktop\Authenticator.exe

File read: C:\Users\user\Desktop\Authenticator.exe

Jump to behavior

Source: C:\Users\user\Desktop\Authenticator.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Section loaded: umpdc.dll			Jump to behavior

Source: Authenticator.exe

Static PE information: certificate valid

Source: Authenticator.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Authenticator.exe

Static file information: File size 19019576 > 1048576

Source: Authenticator.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7b7000
Source: Authenticator.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x964200

Source: Authenticator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: Authenticator.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\Authenticator.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Users\user\Desktop\Authenticator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\ko-KR VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\lt-LT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\lv-LV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\nb-NO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\pl-PL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\pt-PT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\ro-RO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\tr-TR VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\uk-UA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\zh-CN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\zh-TW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Branding\Basebrd\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\CSC\v2.0.6\namespace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\DigitalLocker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\DigitalLocker\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Downloaded Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ELAMBKUP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Fonts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\GameBarPresenceWriter VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\HyphenationDictionaries VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\SpellDictionaries VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\SpellDictionaries\Fluency VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ICU VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\OEM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\OEM\IndexStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\ContentStore\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\IndexStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\IndexStore\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\mui VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\HelpPane.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\HelpPane.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME\IMEJP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME\IMETC\DICTS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for Oracle\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Memory Cache 4.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Memory Cache 4.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NETFramework\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ESENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV\0809 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\UGTHRSVC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings\Assets VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\pris VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\InputMethod VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\InputMethod\SHARED VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\00006109F80000000100000000F01FEC\16.0.16827 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_AcrobatInfo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\SingleClientServicesUpdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\wcchromenativemessaginghost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\L2Schemas VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\LanguageOverlayCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\CBS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\DISM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\waasmedic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Afternoon VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Heritage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Landscape VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Quirky VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v1.0.3705 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v1.1.4322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\1033 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122298099.0000000009BB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2123903017.00000000097D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2091317406.0000000002F28000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345472565.0000000002F58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345454228.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2388214190.0000000002D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2477412382.0000000002D42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1936782689.0000000005864000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896945017.0000000002D0E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896921247.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896907726.0000000002D2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2123875583.00000000097E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.0% probability

Uses 32bit PE files

Source: Authenticator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Authenticator.exe

Static PE information: certificate valid

Source: Authenticator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp

Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://code.google.com/p/chromium/issues/entry
Source: Authenticator.exe, 00000000.00000003.2343665752.00000000036D4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/122474.
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/415315
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crbug.com/415315.
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: Authenticator.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: Authenticator.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: Authenticator.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: Authenticator.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
Source: Authenticator.exe	String found in binary or memory: https://auth.docker.com/
Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments-stage.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/593166
Source: Authenticator.exe, 00000000.00000003.2343584143.0000000003714000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://crbug.com/787427.
Source: Authenticator.exe	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify-stage.adobe.iohttps://notify.adobe.ioEnableDesktopNotificationlocaleEXPIRED%lldSync
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://notify.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.io
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com(
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrn
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.com0cW
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comEventSignalForNotiUpdaterUserMetaDataAdobe
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comKhttps://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comReadStatusH
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comX
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsFetch_AnnotsEurekaReviewFetch
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comemptyAnnotations
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.cominvalidAnnotIdListp
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://scss.adobesc.comsuspendcrequestupdateuoperateop:W
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/cloudprint/answer/2541843
Source: Authenticator.exe	String found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalid
Source: Authenticator.exe	String found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Authenticator.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/cloudprint#jobs

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Arechclient2 RAT Author: ditekSHen

Sample file is different than original file name gathered from version info

Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896370901.0000000002F10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelpPane.exej% vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystemSettings.exej% vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename64BitMAPIBroker.exeD vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exeH vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAdobeCollabSync.exeb! vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroBroker.exe~/ vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000000.1676393637.00000000020EF000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exeH vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAcroCEF.exe< vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCRLogTransport .exe6 vs Authenticator.exe
Source: Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLogTransport2.exe0 vs Authenticator.exe
Source: Authenticator.exe	Binary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe

Uses 32bit PE files

Source: Authenticator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT

Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, -Module-.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal45.troj.winEXE@1/0@0/0

Source: Authenticator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Authenticator.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: select count(*) from SQLITE_MASTER where type = "table";
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;

Source: Authenticator.exe	String found in binary or memory: go_threadsres binderres masterresumptionexp masterconnectionuser-agentConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookiekeep-aliveequivalentHost: %s
Source: Authenticator.exe	String found in binary or memory: ... omitting ^#\\|\s+msgctxt.WithoutCancel.WithDeadline(.in-addr.arpa.unknown mode: protobuf_oneofXXX_OneofFuncsreserved_rangefield_presenceheap_sys_bytes\.+?()\|[]{}^$bad record MACcontent-lengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not AcceptableControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueW([a-f0-9]{64})document startsequence startadd_dir_headervault.azure.cnmime/multipartzero parameterprefix length not an ip:portinvalid PrefixRCodeNameErrorResourceHeaderSubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSprotobuf errorMessageOptionsServiceOptionsinvalid kind: XXX_extensionsInstEmptyWidthresourceGroups> closed by </Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODLABEL_OPTIONALLABEL_REPEATEDLABEL_REQUIREDEDITION_LEGACYEDITION_PROTO2EDITION_PROTO3StaticProvidercloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-\w+\-\d+$%s Channel #%dgrpc-trace-bintoo_many_pingsunknown ID: %vAuthInfo: '%s'show_sensitiveReservedRangesdtls fatal: %vRecordOverflowBadCertificatekey is invalidLOGGER_UNKNOWNformnovalidate$htmltemplate_ / %s */null failed to castunknown node: ApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;len of type %shttpt
Source: Authenticator.exe	String found in binary or memory: longer proceed.user arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goruntime.SetFinalizer: pointer not at beginning of allocated blockreflect: StructOf does not support methods of embedded interfacesx509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificateDesc{fqName: %q, help: %q, constLabels: {%s}, variableLabels: %v}tls: internal error: attempted to read record with QUIC transporttls: server selected an invalid version after a HelloRetryRequestnet/http: Transport.DialTLS or DialTLSContext returned (nil, nil)cryptobyte: pending child length %d exceeds %d-byte length prefixreceived context error while waiting for new LB policy update: %sxml: name %q in tag of %s.%s conflicts with name %q in %s.XMLNamenistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p256Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds valuenistec: internal error: p521Table called with out-of-bounds valuebinarylogging: message to log is neither proto.message nor []bytelast data directory entry is a reserved field, must be set to zerounable to query buffer size from InitializeProcThreadAttributeListdbus.Store: type mismatch: map: cannot store a value of %s into %sThere was an error processing the upload and it must be restarted.reflect: indirection through nil pointer to embedded struct field x509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typepkcs7: signing time %q is outside of certificate validity %q to %qNumber of heap bytes when next garbage collection will take place.tls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensioninternal error: attempted to parse unknown event (please report): If non-empty, use this log file (no effect when -logtostderr=true)If true, adds the file directory to the header of the log messagescryptobyte: high-tag number identifier octects not supported: 0x%xDescriptor.Options called without importing the descriptor packageCumulative sum of memory allocated to the heap by the application.base.baseBalancer: UpdateSubConnState(%v, %+v) called unexpectedlyreceived goaway with non-zero even-numbered numbered stream id: %vmetadata: Pairs got the odd number of input pairs for metadata: %dtls: server sent certificate containing RSA key larger than %d bitsServer retry pushback specified multiple values (%q); not retrying.field %v with invalid Mutable call on field with non-composite typeMemory that is used by the stack trace hash map used for profiling.base.baseBalancer: got state changes for an unknown SubConn: %p, %vtransport: cannot send secure credentials on an insecure connectionif non-empty, httptest.Ne
Source: Authenticator.exe	String found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
Source: Authenticator.exe	String found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
Source: Authenticator.exe	String found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
Source: Authenticator.exe	String found in binary or memory: net/addrselect.go
Source: Authenticator.exe	String found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
Source: Authenticator.exe	String found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go

Source: C:\Users\user\Desktop\Authenticator.exe

File read: C:\Users\user\Desktop\Authenticator.exe

Jump to behavior

Source: C:\Users\user\Desktop\Authenticator.exe	Section loaded: powrprof.dll			Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Section loaded: umpdc.dll			Jump to behavior

Source: Authenticator.exe

Static PE information: certificate valid

Source: Authenticator.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Authenticator.exe

Static file information: File size 19019576 > 1048576

Source: Authenticator.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x7b7000
Source: Authenticator.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x964200

Source: Authenticator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: Authenticator.exe

Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\Authenticator.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Users\user\Desktop\Authenticator.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\ko-KR VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\lt-LT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\EFI\lv-LV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\nb-NO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\pl-PL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\pt-PT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\ro-RO VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\tr-TR VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\uk-UA VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\zh-CN VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Boot\PCAT\zh-TW VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Branding\Basebrd\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\CSC\v2.0.6\namespace VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\DigitalLocker VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\DigitalLocker\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Downloaded Program Files VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ELAMBKUP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Fonts VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\GameBarPresenceWriter VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\HyphenationDictionaries VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\SpellDictionaries VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ELS\SpellDictionaries\Fluency VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Globalization\ICU VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\OEM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\OEM\IndexStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\ContentStore\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\IndexStore VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\Windows\IndexStore\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Help\mui VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\HelpPane.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\HelpPane.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME\IMEJP VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\IME\IMETC\DICTS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for Oracle\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Memory Cache 4.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NET Memory Cache 4.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\.NETFramework\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\BITS\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ESENT VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TAPISRV\0809 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService\0000 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\TermService\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\INF\UGTHRSVC VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings\Assets VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\en-GB VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\pris VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\InputMethod VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\InputMethod\SHARED VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\00006109F80000000100000000F01FEC\16.0.16827 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_AcrobatInfo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\SingleClientServicesUpdater.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\wcchromenativemessaginghost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700} VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\L2Schemas VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\LanguageOverlayCache VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\CBS VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\DISM VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Logs\waasmedic VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Afternoon VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Heritage VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Landscape VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Media\Quirky VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v1.0.3705 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v1.1.4322 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\1033 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Authenticator.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122298099.0000000009BB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2123903017.00000000097D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2091317406.0000000002F28000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345472565.0000000002F58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345454228.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2388214190.0000000002D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2477412382.0000000002D42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1936782689.0000000005864000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896945017.0000000002D0E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896921247.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1896907726.0000000002D2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2123875583.00000000097E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

ID:	1502364
Product:	CloudBasic
Start time:	01:04:10
Start date:	01.09.2024
Sample:	Authenticator.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b7aa705ae0273c87a7af8c79f47247d2
SHA1:	6b4993e818a6751a99e7d653472e259e6cab5c70
SHA256:	01db4e69578d9b424087b90550463a1a1ce88e36f77050fc443d3b6b50b85b23
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Authenticator.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Authenticator.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Authenticator.exe

Malware Threat Intel
Provided by