Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Authenticator.exe

Overview

General Information

Sample name:Authenticator.exe
Analysis ID:1502364
MD5:b7aa705ae0273c87a7af8c79f47247d2
SHA1:6b4993e818a6751a99e7d653472e259e6cab5c70
SHA256:01db4e69578d9b424087b90550463a1a1ce88e36f77050fc443d3b6b50b85b23
Tags:exe
Infos:

Detection

RedLine
Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected RedLine Stealer
AI detected suspicious sample
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Authenticator.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\Authenticator.exe" MD5: B7AA705AE0273C87A7AF8C79F47247D2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
  • 0x0:$x1: 4d5a9000030000000
00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmpMsfpayloads_msf_9Metasploit Payloads - file msf.war - contentsFlorian Roth
    • 0x0:$x1: 4d5a9000030000000
    00000000.00000003.2122298099.0000000009BB4000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Click to see the 79 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.3.Authenticator.exe.57b0000.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0.3.Authenticator.exe.57b0000.7.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          0.3.Authenticator.exe.57b0000.7.unpackMALWARE_Win_Arechclient2Detects Arechclient2 RATditekSHen
          • 0xb6852:$s14: keybd_event
          • 0xbd5c1:$v1_1: grabber@
          • 0xb7424:$v1_2: <BrowserProfile>k__
          • 0xb7e9d:$v1_3: <SystemHardwares>k__
          • 0xb7f5c:$v1_5: <ScannedWallets>k__
          • 0xb7fec:$v1_6: <DicrFiles>k__
          • 0xb7fc8:$v1_7: <MessageClientFiles>k__
          • 0xb8392:$v1_8: <ScanBrowsers>k__BackingField
          • 0xb83e4:$v1_8: <ScanWallets>k__BackingField
          • 0xb8401:$v1_8: <ScanScreen>k__BackingField
          • 0xb843b:$v1_8: <ScanVPN>k__BackingField
          • 0xa9c6a:$v1_9: displayName[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}Local Extension Settingshost
          • 0xa9576:$v1_10: \sitemanager.xml MB or SELECT * FROM Cookiesconfig
          0.3.Authenticator.exe.2e64000.15.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.3.Authenticator.exe.2e64000.15.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 55 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
              Source: Authenticator.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Authenticator.exeStatic PE information: certificate valid
              Source: Authenticator.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
              Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/chromium/issues/entry
              Source: Authenticator.exe, 00000000.00000003.2343665752.00000000036D4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/122474.
              Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/415315
              Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/415315.
              Source: Authenticator.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
              Source: Authenticator.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
              Source: Authenticator.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
              Source: Authenticator.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
              Source: Authenticator.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
              Source: Authenticator.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
              Source: Authenticator.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
              Source: Authenticator.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
              Source: Authenticator.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
              Source: Authenticator.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
              Source: Authenticator.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload
              Source: Authenticator.exeString found in binary or memory: https://auth.docker.com/
              Source: Authenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore/category/extensions
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments-stage.adobe.io
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments.adobe.io
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments.adobe.io/schemas/annots_metadata.jsonld
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments.adobe.io/schemas/bulk_entity_v1.json
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments.adobe.io/schemas/entity_v1.json
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://comments.adobe.io/schemas/user_comment_metadata_result_v1.json
              Source: Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/593166
              Source: Authenticator.exe, 00000000.00000003.2343584143.0000000003714000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/787427.
              Source: Authenticator.exeString found in binary or memory: https://github.com/golang/protobuf/issues/1609):
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://notify-stage.adobe.io
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://notify-stage.adobe.iohttps://notify.adobe.ioEnableDesktopNotificationlocaleEXPIRED%lldSync
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://notify.adobe.io
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://reviews.adobe.io
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://reviews.adobe.iourifullpayloadlinksinvitationURIreviewURIcommentingAssetURNEurekaInvitationI
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.com
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.com(
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.com.adobe.ioassetUrnreviewUrn
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.com0cW
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comEventSignalForNotiUpdaterUserMetaDataAdobe
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comKhttps://scss.adobesc.com
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comReadStatusH
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comX
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsFetch_AnnotsEurekaReviewFetch
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comemptyAnnotations
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.cominvalidAnnotIdListp
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comreasoncom.adobe.review.sdk
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://scss.adobesc.comsuspendcrequestupdateuoperateop:W
              Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
              Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/cloudprint/answer/2541843
              Source: Authenticator.exeString found in binary or memory: https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalid
              Source: Authenticator.exeString found in binary or memory: https://vault.azure.netusgovtrafficmanager.netvault.usgovcloudapi.nethttps://vault.azure.cn/vault.mi
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2343407587.0000000003794000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmp, Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: Authenticator.exeString found in binary or memory: https://www.globalsign.com/repository/0
              Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/cloudprint#jobs

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPEMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
              Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Arechclient2 RAT Author: ditekSHen
              Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1896370901.0000000002F10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelpPane.exej% vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameaspnet_regbrowsers.exeT vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystemSettings.exej% vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename64BitMAPIBroker.exeD vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdobeCollabSync.exeH vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1841999418.0000000003679000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAdobeCollabSync.exeb! vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamebluefin.exe" vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2109675258.0000000009F14000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcroBroker.exe~/ vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000000.1676393637.00000000020EF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcroCEF.exeH vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAcroCEF.exe< vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.1896563121.0000000002EF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCRLogTransport .exe6 vs Authenticator.exe
              Source: Authenticator.exe, 00000000.00000003.2346620493.0000000002D62000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLogTransport2.exe0 vs Authenticator.exe
              Source: Authenticator.exeBinary or memory string: OriginalFilenameSaint Paint Studio.exe vs Authenticator.exe
              Source: Authenticator.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
              Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
              Source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, -Module-.csCryptographic APIs: 'CreateDecryptor'
              Source: classification engineClassification label: mal45.troj.winEXE@1/0@0/0
              Source: Authenticator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Authenticator.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT branches.content_item_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) JOIN content_items ON( content_items.creation_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch1 AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id NOT IN ( SELECT branches.content_item_revision_id FROM content_item_relations JOIN branches ON( branches.content_item_id = content_item_relations.target_content_item_id) WHERE( content_item_relations.src_content_item_id = :srcContentItemId AND content_item_relations.rel = :relType AND branches.app_id = :appId AND branches.branch_name = :branch2))));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted,(SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = :id AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_relations ( src_content_item_id TEXT NOT NULL, target_content_item_id TEXT NOT NULL, rel TEXT NOT NULL, PRIMARY KEY (src_content_item_id, target_content_item_id, rel));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE branches SET content_item_revision_id = :contentItemRevisionId, modified = :modified, download_state = :downloadState WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS resource_content ( resource_content_id TEXT PRIMARY KEY NOT NULL, resource_content TEXT NOT NULL);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO content_items( creation_id, asset_id, type, content_item_type, created, removed_from_server, pending_local_delete) VALUES( :creationId, :assetId, :type, :contentItemType, :created, :removedFromServer, :pendingLocalDelete);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO pending_requests( pending_request_id, request_type, content_item_id, context) VALUES( :pendingRequestId, :requestType, :contentItemId, :context);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT *, (SELECT resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN resource_content ON (resource_revisions.hash = resource_content.resource_content_id) WHERE( branches.content_item_id = creation_id_local AND branches.branch_name = 'error' AND branches.app_id = :appId)) as error_payload, (SELECT 1 from branches where branch_name = 'conflict' AND content_item_id = creation_id_local) as is_conflicted, ( SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id and branches.content_item_id = creation_id_local) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base'))))) as is_sync_pending FROM ( SELECT content_item_relations.src_content_item_id, branches.download_state, branches.record_created, branches.modified, content_items.creation_id , content_items.creation_id as creation_id_local, branches.content_item_id, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE content_item_revisions SET local_etag = :localEtag, request_id = :requestId, updated = :updated WHERE( content_item_revision_id IN ( SELECT content_item_revision_id FROM branches WHERE( content_item_id = :contentItemId AND branch_name = :branchName ANDapp_id = :appId)));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests WHERE( request_type = :requestType and content_item_id = :contentItemId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE device_mappings SET unPinned = 1 WHERE(content_item_id = :contentItemId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT OR REPLACE INTO branches( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS pending_requests ( pending_request_id TEXT PRIMARY KEY NOT NULL, request_type TEXT NOT NULL, content_item_id TEXT DEFAULT NULL, context TEXT DEFAULT NULL, pending_request_created TIMESTAMP DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now', 'localtime')) NOT NULL, request_status TEXT DEFAULT "CREATED" NOT NULL, message TEXT DEFAULT NULL, status_code INTEGER DEFAULT -1 NOT NULL, device_mapping_id TEXT DEFAULT NULL, UNIQUE (content_item_id, request_type, request_status));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :assetId AND branches.branch_name = :branchName AND branches.app_id = :appId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT OR REPLACE INTO content_item_relations( src_content_item_id, target_content_item_id, rel) VALUES( :srcContentItemId, :targetContentItemId, :rel);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO resource_revisions( revision_id, rel_to_content_item, resource_type, media_type, locator, committed, hashType, hash, storageSize, width, height) VALUES( :revisionId, :relToContentItem, :resourceType, :mediaType, :locator_var, :committed_var, :hashType_var, :hash_var, :storageSize_var, :width_var, :height_var);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT content_items.creation_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'current' AND branches.app_id = :appid) AND ((content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR (content_item_revisions.content_item_revision_id) NOT IN ( SELECT content_item_revisions.content_item_revision_id FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) WHERE (branches.branch_name = 'base' AND branches.app_id = :appid))) AND content_items.creation_id NOT IN ( SELECT content_item_id FROM branches WHERE( branch_name = 'error'));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS branches ( content_item_id TEXT NOT NULL, content_item_revision_id TEXT NOT NULL, branch_name TEXT NOT NULL, app_id TEXT NOT NULL, is_transient INTEGER DEFAULT 0 NOT NULL, record_created TIMESTAMP NOT NULL, modified TIMESTAMP NOT NULL, download_state TEXT DEFAULT NULL, PRIMARY KEY (content_item_id, branch_name, app_id));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_resources ( content_item_revision_id TEXT NOT NULL, resource_revision_id TEXT NOT NULL, resource_id TEXT DEFAULT NULL, resource_cloud_etag TEXT DEFAULT NULL, resource_cloud_version_id TEXT DEFAULT NULL, resource_local_etag TEXT DEFAULT NULL, resource_local_version_id TEXT DEFAULT NULL, PRIMARY KEY (content_item_revision_id, resource_revision_id));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT creation_id FROM content_items WHERE asset_id = :assetId;
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO device_mappings( device_mapping_id, content_item_id, collection_id, content_item_type, include_rel_types, include_depth, branch, TTL, Priority, app_info) VALUES( :deviceMappingId, :contentItemId, :collectionId, :contentItemType, :includeRelTypes, :includeDepth, :branch, :TTL, :priority, :appInfo);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO content_item_resources( content_item_revision_id, resource_revision_id) VALUES( :contentItemRevisionId, :resourceRevisionId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO branches ( content_item_id, content_item_revision_id, branch_name, app_id, is_transient, record_created, modified, download_state) VALUES( :contentItemId, :contentItemRevisionId, :branchName, :appId, :isTransient, :recordCreated, :modified, :downloadState);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT * FROM device_mappings WHERE( unPinned = 1);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE content_items SET removed_from_server = :removedFromServer WHERE( creation_id = :creationId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT content_item_relations.src_content_item_id, branches.download_state, content_items.creation_id,branches.content_item_id,branches.record_created, branches.modified, content_items.asset_id, content_items.type, content_items.content_item_type, content_items.removed_from_server, content_items.pending_local_delete, content_item_revisions.cloud_etag, content_item_revisions.updated, content_item_revisions.local_etag, content_item_revisions.request_id, content_item_revisions.content_name, content_item_resources.resource_cloud_etag , content_item_resources.resource_local_etag , resource_revisions.rel_to_content_item , resource_revisions.resource_type, resource_revisions.committed, resource_content.resource_content, (select 1 from branches where branch_name = 'conflict' AND content_item_id = :id) as is_conflicted, (SELECT 1 FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = 'current' AND branches.content_item_id = :id AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = 'base' AND branches.content_item_id = :id))))) as is_sync_pending, (SELECT content_item_revisions.cloud_etag FROM content_items JOIN branches ON (branches.content_item_id = content_items.creation_id)JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id)WHERE( content_items.asset_id = :collectionId AND branches.branch_name = :branchName AND branches.app_id = :appId)) as collection_cloud_etag FROM branches JOIN content_items ON (branches.content_item_id = content_items.creation_id) JOIN content_item_revisions ON (branches.content_item_revision_id = content_item_revisions.content_item_revision_id) JOIN content_item_resources ON (branches.content_item_revision_id = content_item_resources.content_item_revision_id) JOIN resource_revisions ON (content_item_resources.resource_revision_id = resource_revisions.revision_id) JOIN content_item_rel
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE branches SET modified = :modified WHERE( content_item_id = :contentItemId AND branch_name = :branchName AND app_id = :appId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT branches.content_item_id FROM branches JOIN content_items ON(content_items.creation_id = branches.content_item_id) WHERE( branches.app_id = :appId AND branches.branch_name = :branch1 AND branches.content_item_id = :contentItemId AND (( content_items.pending_local_delete = 1 AND content_items.removed_from_server = 0) OR branches.content_item_revision_id not in( SELECT branches.content_item_revision_id FROM branches WHERE( branches.app_id = :appId AND branches.branch_name = :branch2 AND branches.content_item_id = :contentItemId))));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT * FROM device_mappings WHERE( content_item_type = :resourceType);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_updates ( seq_num INTEGER PRIMARY KEY NOT NULL, app_id TEXT NOT NULL, content_item_local_id TEXT NOT NULL, time TIMESTAMP NOT NULL, operation TEXT NOT NULL);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE content_items SET asset_id = :assetId WHERE( creation_id = :creationId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS resource_revisions ( revision_id TEXT PRIMARY KEY NOT NULL, rel_to_content_item TEXT NOT NULL, resource_type TEXT NOT NULL, media_type TEXT NOT NULL, locator TEXT NOT NULL, committed INTEGER NOT NULL, hashType TEXT DEFAULT NULL, hash TEXT DEFAULT NULL, storageSize INTEGER DEFAULT 0, width INTEGER DEFAULT 0, height INTEGER DEFAULT 0);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: select count(*) from SQLITE_MASTER where type = "table";
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE content_items SET pending_local_delete = :pendingLocalDelete WHERE( creation_id = :creationId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO content_item_revisions( content_item_revision_id, cloud_etag, updated, local_etag, request_id, content_name) VALUES( :contentIemRevisionId, :cloudEtag, :updated, :localEtag, :requestId, :contentName);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS content_item_revisions( content_item_revision_id TEXT PRIMARY KEY NOT NULL, cloud_etag TEXT DEFAULT NULL, cloud_version_id TEXT DEFAULT NULL, updated TIMESTAMP DEFAULT NULL, acl TEXT DEFAULT NULL, local_etag TEXT DEFAULT NULL, local_version_id TEXT DEFAULT NULL, request_id TEXT DEFAULT NULL, content_name TEXT DEFAULT NULL);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS content_items( creation_id TEXT PRIMARY KEY NOT NULL, asset_id TEXT DEFAULT NULL, type TEXT NOT NULL, content_item_type TEXT NOT NULL, created TEXT NOT NULL, removed_from_server INTEGER DEFAULT 0 NOT NULL, pending_local_delete INTEGER DEFAULT 0 NOT NULL, update_seq_num INTEGER DEFAULT 0 NOT NULL);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS sync_tokens ( content_item_id TEXT PRIMARY KEY NOT NULL, token TEXT DEFAULT NULL, last_sync_time TIMESTAMP DEFAULT NULL, device_mapping_id TEXT DEFAULT NULL);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS device_mappings ( device_mapping_id TEXT PRIMARY KEY NOT NULL, content_item_id TEXT NOT NULL, content_item_type TEXT NOT NULL, include_rel_types TEXT DEFAULT NULL, include_depth INTEGER DEFAULT 0 NOT NULL, branch TEXT DEFAULT NULL, device_mapping_created TIMESTAMP DEFAULT (strftime('%s', 'now')) NOT NULL, collection_id TEXT DEFAULT NULL, TTL INTEGER DEFAULT 0 NOT NULL, Priority INTEGER DEFAULT 0 NOT NULL, app_info TEXT NOT NULL, unPinned INTEGER DEFAULT 0 NOT NULL, UNIQUE (content_item_id, branch));
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT pending_request_id, request_type, content_item_id, context, pending_request_created, request_status, message, status_code, device_mapping_id FROM pending_requests;
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE pending_requests SET request_status = :requestStatus, message = :message, status_code = :statusCode WHERE( pending_request_id = :pendingRequestId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO resource_content( resource_content_id, resource_content) VALUES ( :resourceContentId, :resourceContent);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT *FROM pending_requests WHERE(content_item_id = :contentItemId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT * FROM device_mappings WHERE( content_item_id = :contentItemId);
              Source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT OR REPLACE INTO branches ( content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, branch_name) SELECT content_item_id, content_item_revision_id, app_id, is_transient, record_created, modified, download_state, :targetBranchname from branches WHERE branch_name = :srcBranchname AND content_item_id = :contentItemId AND app_id = :appId;
              Source: Authenticator.exeString found in binary or memory: go_threadsres binderres masterresumptionexp masterconnectionuser-agentConnectionlocal-addrRST_STREAMEND_STREAMSet-Cookie; Expires=; Max-Age=; HttpOnly stream=%d:authorityset-cookiekeep-aliveequivalentHost: %s
              Source: Authenticator.exeString found in binary or memory: ... omitting ^#\|\s+msgctxt.WithoutCancel.WithDeadline(.in-addr.arpa.unknown mode: protobuf_oneofXXX_OneofFuncsreserved_rangefield_presenceheap_sys_bytes\.+*?()|[]{}^$bad record MACcontent-lengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAM; SameSite=LaxERR_UNKNOWN_%daccept-charsetread_frame_eof{$} not at endempty wildcardparsing %q: %wunknown error unknown code: Not AcceptableControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenClearCommBreakClearCommErrorCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofResourceVirtualProtectVirtualQueryExCoInitializeExCoUninitializeGetShellWindowVerQueryValueW([a-f0-9]{64})document startsequence startadd_dir_headervault.azure.cnmime/multipartzero parameterprefix length not an ip:portinvalid PrefixRCodeNameErrorResourceHeaderSubConn(id:%d)"OUT_OF_RANGE"ALREADY_EXISTSprotobuf errorMessageOptionsServiceOptionsinvalid kind: XXX_extensionsInstEmptyWidthresourceGroups> closed by </Accept-CharsetDkim-Signatureneed more dataREQUEST_METHODLABEL_OPTIONALLABEL_REPEATEDLABEL_REQUIREDEDITION_LEGACYEDITION_PROTO2EDITION_PROTO3StaticProvidercloud.adc-e.ukcsp.hci.ic.govap-northeast-1ap-northeast-2ap-northeast-3ap-southeast-1ap-southeast-2ap-southeast-3ap-southeast-4Europe (Milan)Europe (Spain)Europe (Paris)US East (Ohio)fips-ca-west-1fips-us-east-1fips-us-east-2fips-us-west-1fips-us-west-2ca-west-1-fipsus-east-1-fipsus-east-2-fipsus-west-1-fipsus-west-2-fipsamplifybackendapi.ecr-publicbackup-gatewayclouddirectorycloudformationlocalhost:8000edge.sagemakerfips-ap-east-1fips-eu-west-1fips-eu-west-2fips-eu-west-3fips-sa-east-1emr-containersemr-serverlessprod-ca-west-1prod-us-east-1prod-us-east-2prod-us-west-1prod-us-west-2identity-chimeiotthingsgraphapi-ap-south-1data-eu-west-1data-us-east-1data-us-west-2kendra-rankingap-east-1-fipseu-west-1-fipseu-west-2-fipseu-west-3-fipssa-east-1-fipslookoutmetricsmediapackagev2meetings-chimenetworkmanagerroute53domainsruntime-v2-lexsecretsmanagerserverlessreposervicecatalogsimspaceweaverstoragegatewayworkspaces-webcn-northwest-1api-cn-north-1aws-iso-globalus-isob-east-1eu-isoe-west-1^cn\-\w+\-\d+$%s Channel #%dgrpc-trace-bintoo_many_pingsunknown ID: %vAuthInfo: '%s'show_sensitiveReservedRangesdtls fatal: %vRecordOverflowBadCertificatekey is invalidLOGGER_UNKNOWNformnovalidate$htmltemplate_ /* %s */null failed to castunknown node: ApplyFunction;DifferentialD;DoubleLeftTee;DoubleUpArrow;LeftTeeVector;LeftVectorBar;LessFullEqual;LongLeftArrow;Longleftarrow;NotTildeEqual;NotTildeTilde;Poincareplane;PrecedesEqual;PrecedesTilde;RightArrowBar;RightTeeArrow;RightTriangle;RightUpVector;SucceedsEqual;SucceedsTilde;SupersetEqual;UpEquilibrium;VerticalTilde;VeryThinSpace;bigtriangleup;blacktriangle;divideontimes;fallingdotseq;hookleftarrow;leftarrowtail;leftharpoonup;longleftarrow;looparrowleft;measuredangle;ntriangleleft;shortparallel;smallsetminus;triangleright;upharpoonleft;NotEqualTilde;varsubsetneqq;varsupsetneqq;len of type %shttpt
              Source: Authenticator.exeString found in binary or memory: longer proceed.user arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goruntime.SetFinalizer: pointer not at beginning of allocated blockreflect: StructOf does not support methods of embedded interfacesx509: inner and outer signature algorithm identifiers don't matchx509: issuer name does not match subject from issuing certificateDesc{fqName: %q, help: %q, constLabels: {%s}, variableLabels: %v}tls: internal error: attempted to read record with QUIC transporttls: server selected an invalid version after a HelloRetryRequestnet/http: Transport.DialTLS or DialTLSContext returned (nil, nil)cryptobyte: pending child length %d exceeds %d-byte length prefixreceived context error while waiting for new LB policy update: %sxml: name %q in tag of %s.%s conflicts with name %q in %s.XMLNamenistec: internal error: p224Table called with out-of-bounds valuenistec: internal error: p256Table called with out-of-bounds valuenistec: internal error: p384Table called with out-of-bounds valuenistec: internal error: p521Table called with out-of-bounds valuebinarylogging: message to log is neither proto.message nor []bytelast data directory entry is a reserved field, must be set to zerounable to query buffer size from InitializeProcThreadAttributeListdbus.Store: type mismatch: map: cannot store a value of %s into %sThere was an error processing the upload and it must be restarted.reflect: indirection through nil pointer to embedded struct field x509: certificate is not valid for any names, but wanted to match x509: requested SignatureAlgorithm does not match private key typepkcs7: signing time %q is outside of certificate validity %q to %qNumber of heap bytes when next garbage collection will take place.tls: certificate private key (%T) does not implement crypto.Signerclient doesn't support ECDHE, can only use legacy RSA key exchangetls: server sent an unexpected quic_transport_parameters extensioninternal error: attempted to parse unknown event (please report): If non-empty, use this log file (no effect when -logtostderr=true)If true, adds the file directory to the header of the log messagescryptobyte: high-tag number identifier octects not supported: 0x%xDescriptor.Options called without importing the descriptor packageCumulative sum of memory allocated to the heap by the application.base.baseBalancer: UpdateSubConnState(%v, %+v) called unexpectedlyreceived goaway with non-zero even-numbered numbered stream id: %vmetadata: Pairs got the odd number of input pairs for metadata: %dtls: server sent certificate containing RSA key larger than %d bitsServer retry pushback specified multiple values (%q); not retrying.field %v with invalid Mutable call on field with non-composite typeMemory that is used by the stack trace hash map used for profiling.base.baseBalancer: got state changes for an unknown SubConn: %p, %vtransport: cannot send secure credentials on an insecure connectionif non-empty, httptest.Ne
              Source: Authenticator.exeString found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
              Source: Authenticator.exeString found in binary or memory: includes an invalid layer digest.Memory allocated from the heap that is reserved for stack space, whether or not it is currently in-use. Currently, this represents all stack memory for goroutines. It also includes all OS thread stacks in non-cgo programs. Note that stacks may be allocated differently in the future, and this may change.Distribution of individual non-GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (measured directly in /sched/pauses/stopping/other:seconds). Bucket counts increase monotonically.Distribution of individual GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total GC-related stop-the-world time (/sched/pauses/total/gc:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.Distribution of individual non-GC-related stop-the-world stopping latencies. This is the time it takes from deciding to stop the world until all Ps are stopped. This is a subset of the total non-GC-related stop-the-world time (/sched/pauses/total/other:seconds). During this time, some threads may be executing. Bucket counts increase monotonically.stateTextstateTagstateAttrNamestateAfterNamestateBeforeValuestateHTMLCmtstateRCDATAstateAttrstateURLstateSrcsetstateJSstateJSDqStrstateJSSqStrstateJSTmplLitstateJSRegexpstateJSBlockCmtstateJSLineCmtstateJSHTMLOpenCmtstateJSHTMLCloseCmtstateCSSstateCSSDqStrstateCSSSqStrstateCSSDqURLstateCSSSqURLstateCSSURLstateCSSBlockCmtstateCSSLineCmtstateErrorstateDeadGC cycle the last time the GC CPU limiter was enabled. This metric is useful for diagnosing the root cause of an out-of-memory error, because the limiter trades memory for CPU time when the GC's CPU time gets too high. This is most likely to occur with use of SetMemoryLimit. The first GC cycle is cycle 1, so a value of 0 indicates that it was never enabled.Distribution of individual GC-related stop-the-world pause latencies. This is the time from deciding to stop the world until the world is started again. Some of this time is spent getting all threads to stop (this is measured directly in /sched/pauses/stopping/gc:seconds), during which some threads may still be running. Bucket counts increase monotonically.Estimated total CPU time spent performing GC tasks on spare CPU resources that the Go scheduler could not otherwise find a use for. This should be subtracted from the total GC CPU time to obtain a measure of compulsory GC CPU time. This metric is an overestimate, and not directly comparable to system CPU time measurements. Compare only with other /cpu/classes metrics.Estimated total available CPU time for user Go code or the Go runtime, as defined by GOMAXPROCS. In other words, GOMAXPROCS integrated over the wall-clock duration this process has been executing for. This metric is an o
              Source: Authenticator.exeString found in binary or memory: depgithub.com/docker/docker-credential-helpersv0.8.2h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
              Source: Authenticator.exeString found in binary or memory: net/addrselect.go
              Source: Authenticator.exeString found in binary or memory: github.com/saferwall/pe@v1.5.4/loadconfig.go
              Source: Authenticator.exeString found in binary or memory: google.golang.org/grpc@v1.64.1/internal/balancerload/load.go
              Source: C:\Users\user\Desktop\Authenticator.exeFile read: C:\Users\user\Desktop\Authenticator.exeJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeSection loaded: umpdc.dllJump to behavior
              Source: Authenticator.exeStatic PE information: certificate valid
              Source: Authenticator.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Authenticator.exeStatic file information: File size 19019576 > 1048576
              Source: Authenticator.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x7b7000
              Source: Authenticator.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x964200
              Source: Authenticator.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdb source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AdobeCollabSync.pdb( source: Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: C:\Users\cruser\workspace\CR-Windows-x64-Client-Builder\CRLogTransport\public\binary\Win\x64\Release\CRLogTransport.pdbQ source: Authenticator.exe, 00000000.00000003.1896579935.0000000002EE0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdbTTT source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Release_x64\AcroBroker.pdb source: Authenticator.exe, 00000000.00000003.2109703941.0000000009F04000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: aspnet_regbrowsers.pdb source: Authenticator.exe, 00000000.00000003.2417488250.0000000002D64000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: SystemSettings.pdb source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: SystemSettings.pdbGCTL source: Authenticator.exe, 00000000.00000003.1896884166.0000000002D42000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: 64BitMAPIBroker.pdb source: Authenticator.exe, 00000000.00000003.2091238614.0000000002F68000.00000004.00001000.00020000.00000000.sdmp
              Source: Authenticator.exeStatic PE information: section name: .symtab
              Source: C:\Users\user\Desktop\Authenticator.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Users\user\Desktop\Authenticator.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\AppReadiness VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\EFI\ko-KR VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\EFI\lt-LT VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\EFI\lv-LV VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\memtest.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\nb-NO VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\pl-PL VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\pt-PT VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\ro-RO VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\tr-TR VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\uk-UA VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\zh-CN VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Boot\PCAT\zh-TW VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Branding\Basebrd\en-GB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\CSC\v2.0.6\namespace VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\DigitalLocker VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\DigitalLocker\en-US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Downloaded Program Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ELAMBKUP VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Fonts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\GameBarPresenceWriter VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization\ELS VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization\ELS\HyphenationDictionaries VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization\ELS\SpellDictionaries VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization\ELS\SpellDictionaries\Fluency VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Globalization\ICU VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\OEM VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\OEM\IndexStore VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\Windows\ContentStore\en-US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\Windows\IndexStore VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\Windows\IndexStore\en-US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Help\mui VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\HelpPane.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\HelpPane.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\IME VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\IME\IMEJP VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\IME\IMETC\DICTS VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Data Provider for Oracle\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Data Provider for SqlServer VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Data Provider for SqlServer\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Memory Cache 4.0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NET Memory Cache 4.0\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\.NETFramework\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\BITS VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\BITS\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\BITS\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ESENT VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\MSDTC Bridge 4.0.0.0\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelEndpoint 3.0.0.0\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelOperation 3.0.0.0\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\ServiceModelService 3.0.0.0\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TAPISRV VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TAPISRV\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TAPISRV\0809 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TermService VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TermService\0000 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\TermService\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\INF\UGTHRSVC VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings\Assets VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\SystemSettings.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\en-GB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\ImmersiveControlPanel\pris VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\InputMethod VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\InputMethod\SHARED VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\00006109F80000000100000000F01FEC\16.0.16827 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\AdobeCollabSync.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRLogTransport.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\CRWindowsClientService.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Eula.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_Acrobat.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\Exch_AcrobatInfo.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\SingleClientServicesUpdater.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\_4bitmapibroker.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobat_sl.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrobroker.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrocef.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\acrotextextractor.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\adelrcp.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\logtransport2.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\$PatchCache$\Managed\68AB67CA330133017706CB5110E47A00\21.1.20135\wcchromenativemessaginghost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Installer\{AC76BA86-1033-1033-7760-BC15014EA700} VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\L2Schemas VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\LanguageOverlayCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Logs\CBS VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Logs\DISM VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Logs\waasmedic VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Media VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Media\Afternoon VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Media\Heritage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Media\Landscape VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Media\Quirky VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v1.0.3705 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v1.1.4322 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\1033 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Code VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_GlobalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SubsetList VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\WPF\en-US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\SQL\en VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\1033 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInProcess32.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Authenticator.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v3.5\MSBuild.exe VolumeInformationJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR
              Source: Yara matchFile source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2122298099.0000000009BB4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2123903017.00000000097D4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2091317406.0000000002F28000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2345472565.0000000002F58000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2345454228.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2388214190.0000000002D64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2477412382.0000000002D42000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1936782689.0000000005864000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1896945017.0000000002D0E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1896921247.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1896907726.0000000002D2E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2123875583.00000000097E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected RedLine Stealer
              Source: Yara matchFile source: 0.3.Authenticator.exe.57b0000.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e64000.15.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2e76000.20.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.364e000.18.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.340c000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.a06e000.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2c84000.19.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2ca2000.16.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9726000.12.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.9b08000.11.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.3.Authenticator.exe.2f84000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Authenticator.exe PID: 7624, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		OS Credential Dumping12
              System Information Discovery              		Remote Services1
              Archive Collected Data              		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              DLL Side-Loading              		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://support.google.com/chrome/answer/60988690%URL Reputationsafe
              https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsFetch_AnnotsEurekaReviewFetch0%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFList0%Avira URL Cloudsafe
              http://crbug.com/415315.0%Avira URL Cloudsafe
              https://chrome.google.com/webstore/category/extensions0%Avira URL Cloudsafe
              https://scss.adobesc.com0cW0%Avira URL Cloudsafe
              https://scss.adobesc.comEventSignalForNotiUpdaterUserMetaDataAdobe0%Avira URL Cloudsafe
              https://crbug.com/5931660%Avira URL Cloudsafe
              https://auth.docker.com/0%Avira URL Cloudsafe
              https://crbug.com/787427.0%Avira URL Cloudsafe
              https://chrome.google.com/webstore/category/extensions0%VirustotalBrowse
              https://crbug.com/5931660%VirustotalBrowse
              https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.com0%Avira URL Cloudsafe
              https://crbug.com/787427.0%VirustotalBrowse
              http://crbug.com/415315.0%VirustotalBrowse
              http://code.google.com/p/chromium/issues/entry0%Avira URL Cloudsafe
              https://github.com/golang/protobuf/issues/1609):0%Avira URL Cloudsafe
              https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.0%Avira URL Cloudsafe
              https://scss.adobesc.comsuspendcrequestupdateuoperateop:W0%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Upload0%Avira URL Cloudsafe
              https://scss.adobesc.comX0%Avira URL Cloudsafe
              https://scss.adobesc.comreasoncom.adobe.review.sdk0%Avira URL Cloudsafe
              http://code.google.com/p/chromium/issues/entry0%VirustotalBrowse
              https://auth.docker.com/0%VirustotalBrowse
              https://github.com/golang/protobuf/issues/1609):0%VirustotalBrowse
              https://support.google.com/cloudprint/answer/25418430%Avira URL Cloudsafe
              https://scss.adobesc.com0%Avira URL Cloudsafe
              https://support.google.com/cloudprint/answer/25418430%VirustotalBrowse
              https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.ad0%Avira URL Cloudsafe
              https://www.google.com/cloudprint#jobs0%Avira URL Cloudsafe
              https://scss.adobesc.com0%VirustotalBrowse
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachine0%Avira URL Cloudsafe
              https://scss.adobesc.com(0%Avira URL Cloudsafe
              https://scss.adobesc.comReadStatusH0%Avira URL Cloudsafe
              http://crbug.com/4153150%Avira URL Cloudsafe
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/com0%Avira URL Cloudsafe
              https://scss.adobesc.comemptyAnnotations0%Avira URL Cloudsafe
              https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalid0%Avira URL Cloudsafe
              http://crbug.com/4153150%VirustotalBrowse
              https://scss.adobesc.comKhttps://scss.adobesc.com0%Avira URL Cloudsafe
              https://www.google.com/cloudprint#jobs1%VirustotalBrowse
              https://scss.adobesc.cominvalidAnnotIdListp0%Avira URL Cloudsafe
              http://crbug.com/122474.0%Avira URL Cloudsafe
              http://crbug.com/122474.0%VirustotalBrowse
              https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalid0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              No contacted domains info

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://crbug.com/415315.Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comcommandNameAdd_AnnotsDelete_AnnotsUpdate_AnnotsFetch_AnnotsEurekaReviewFetchAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://chrome.google.com/webstore/category/extensionsAuthenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/RFListAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.com0cWAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comEventSignalForNotiUpdaterUserMetaDataAdobeAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://crbug.com/593166Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://support.google.com/chrome/answer/6098869Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://auth.docker.com/Authenticator.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://crbug.com/787427.Authenticator.exe, 00000000.00000003.2343584143.0000000003714000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comhttps://scss.adobesc.comhttps://scss.adobesc.comAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://code.google.com/p/chromium/issues/entryAuthenticator.exe, 00000000.00000003.2343490007.0000000003754000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/golang/protobuf/issues/1609):Authenticator.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://lifecycleapp.operationlifecycle.shutdownlifecycle.startuptimer.starttimertimer.stoppedtimer.Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comsuspendcrequestupdateuoperateop:WAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/UploadAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comXAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comreasoncom.adobe.review.sdkAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://support.google.com/cloudprint/answer/2541843Authenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/cloudprint#jobsAuthenticator.exe, 00000000.00000003.2343469069.0000000003764000.00000004.00001000.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comAcroCoreSyncSharedReviewLoggingEnabledAcrobat_DesktopUserhttps://comments.adAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachineAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.com(Authenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comReadStatusHAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crbug.com/415315Authenticator.exe, 00000000.00000003.2343685593.00000000036C4000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://PrefSyncJob/com.adobe.acrobat.ADotCom/Resource/Sync/Pref/StateMachinehttps://PrefSyncJob/comAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comemptyAnnotationsAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://vault.azure.net/mysql.database.azure.comhttps://cosmos.azure.cominvalidAuthenticator.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.comKhttps://scss.adobesc.comAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://scss.adobesc.cominvalidAnnotIdListpAuthenticator.exe, 00000000.00000003.1841999418.00000000031F7000.00000004.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crbug.com/122474.Authenticator.exe, 00000000.00000003.2343665752.00000000036D4000.00000004.00001000.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1502364
              Start date and time:2024-09-01 01:04:10 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 38s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Authenticator.exe
              Detection:MAL
              Classification:mal45.troj.winEXE@1/0@0/0
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target Authenticator.exe, PID 7624 because there are no executed function
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              No created / dropped files found

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.072657452759088
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Authenticator.exe
              File size:19'019'576 bytes
              MD5:b7aa705ae0273c87a7af8c79f47247d2
              SHA1:6b4993e818a6751a99e7d653472e259e6cab5c70
              SHA256:01db4e69578d9b424087b90550463a1a1ce88e36f77050fc443d3b6b50b85b23
              SHA512:77f48c7d397166df7ecd7a7fcbf432cdb486ecd71cdc6fe6c47213ecd990ad8b45633706a4571f09ae026345ceb9c44eeaa8a208e8afdd27953e725f3b8a12aa
              SSDEEP:98304:FR+Yc7N8PztpYLPMQQ2WdqQUeDrUw3oCKB8vxFCJYpRB58C1e2gOsGlVeTXUTzv3:HqKYzfQtvoC1zAQVZpOFK/dq+7oEB
              TLSH:6D173A41FAC749F1D9439435809B622F1B345D05CB29CB8BEB10BF6AF837692AE37245
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6...............p{..|....................@...........................%......."...@................................

              File Icon

              Icon Hash:6a5a6272d8dacb30

              Static PE Info

              General

              Entrypoint:0x479400
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:1
              File Version Major:6
              File Version Minor:1
              Subsystem Version Major:6
              Subsystem Version Minor:1
              Import Hash:1aae8bf580c846f39c71c05898e57e88

              Authenticode Signature

              Signature Valid:true
              Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 06/08/2024 10:26:06 07/08/2025 09:42:34
              Subject Chain
              • CN="Brave Pragmatic Network Technology Co., Ltd.", O="Brave Pragmatic Network Technology Co., Ltd.", L=Guangzhou, S=Guangdong, C=CN, OID.1.3.6.1.4.1.311.60.2.1.1=Guangzhou, OID.1.3.6.1.4.1.311.60.2.1.2=Guangdong, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91440101MA9URAWW0Q, OID.2.5.4.15=Private Organization
              Version:3
              Thumbprint MD5:CEC062ACE518A1F4B9E9A36B0927D8D5
              Thumbprint SHA-1:4BDBF5954EDE0FF642960B7A8601D962F6B3D8CD
              Thumbprint SHA-256:7F788897A2EE8BA66CCCD183AF0417433E34EF48DCF1212AD28C639F17FF5404
              Serial:3B17B73A15A48A30DD2EDC71

              Entrypoint Preview

              Instruction
              jmp 00007FB704E6D9B0h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              sub esp, 28h
              mov dword ptr [esp+1Ch], ebx
              mov dword ptr [esp+10h], ebp
              mov dword ptr [esp+14h], esi
              mov dword ptr [esp+18h], edi
              mov dword ptr [esp], eax
              mov dword ptr [esp+04h], ecx
              call 00007FB704E48AE6h
              mov eax, dword ptr [esp+08h]
              mov edi, dword ptr [esp+18h]
              mov esi, dword ptr [esp+14h]
              mov ebp, dword ptr [esp+10h]
              mov ebx, dword ptr [esp+1Ch]
              add esp, 28h
              retn 0004h
              ret
              int3
              int3
              int3
              int3
              int3
              int3
              sub esp, 08h
              mov ecx, dword ptr [esp+0Ch]
              mov edx, dword ptr [ecx]
              mov eax, esp
              mov dword ptr [edx+04h], eax
              sub eax, 00010000h
              mov dword ptr [edx], eax
              add eax, 00000BA0h
              mov dword ptr [edx+08h], eax
              mov dword ptr [edx+0Ch], eax
              lea edi, dword ptr [ecx+34h]
              mov dword ptr [edx+18h], ecx
              mov dword ptr [edi], edx
              mov dword ptr [esp+04h], edi
              call 00007FB704E6FE14h
              cld
              call 00007FB704E6EE9Eh
              call 00007FB704E6DAD9h
              add esp, 08h
              ret
              jmp 00007FB704E6FCC0h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              mov ebx, dword ptr [esp+04h]
              mov ebp, esp
              mov dword ptr fs:[00000034h], 00000000h
              mov ecx, dword ptr [ebx+04h]
              cmp ecx, 00000000h
              je 00007FB704E6FCC1h
              mov eax, ecx
              shl eax, 02h
              sub esp, eax
              mov edi, esp
              mov esi, dword ptr [ebx+08h]
              cld
              rep movsd

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x11ba0000x44c.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x122a0000x2d48c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x1220e000x2938.reloc
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x11bb0000x6d36c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x111efe00xb4.data
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x7b6f080x7b7000c5fcd06600ad7858e974ab3007eb9761unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x7b80000x9641300x964200000352d65f38546b44ddca331ee36e7bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x111d0000x9c0600x6a600453be2332373065dca2935a651c4aec0False0.3463801777320799data5.52825570347678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x11ba0000x44c0x6008e30f06e52b5181cd298e90ae389b88fFalse0.361328125OpenPGP Public Key4.037841933634899IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .reloc0x11bb0000x6d36c0x6d40060eaa40e0f81834bc953ecd0a86a20d3False0.5624150815217391data6.674615366669123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .symtab0x12290000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              .rsrc0x122a0000x2d48c0x2d600156aadce8d6d550cc616f698cedf5a7bFalse0.2314372417355372data4.524396935019694IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x122a3300x4d23PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9730085582620145
              RT_ICON0x122f0540x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.10494794747426948
              RT_ICON0x123f87c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.1455223880597015
              RT_ICON0x1248d240x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.16104436229205177
              RT_ICON0x124e1ac0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15487718469532358
              RT_ICON0x12523d40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.20010373443983404
              RT_ICON0x125497c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.23663227016885555
              RT_ICON0x1255a240x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3282786885245902
              RT_ICON0x12563ac0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.3882978723404255
              RT_GROUP_ICON0x12568140x84data0.7272727272727273
              RT_VERSION0x12568980x5c8data0.27094594594594595
              RT_MANIFEST0x1256e600x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

              Imports

              DLLImport
              kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetUnhandledExceptionFilter, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Sep 1, 2024 01:05:21.099914074 CEST53601481.1.1.1192.168.2.4

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:19:05:01
              Start date:31/08/2024
              Path:C:\Users\user\Desktop\Authenticator.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Authenticator.exe"
              Imagebase:0xeb0000
              File size:19'019'576 bytes
              MD5 hash:B7AA705AE0273C87A7AF8C79F47247D2
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1896316518.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1896884166.0000000002D3E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2417488250.0000000002C90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2476745340.0000000002F4A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2122298099.0000000009BB4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2097701087.000000000A2B2000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2475548142.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2476787398.0000000002F2A000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.2097701087.000000000A06E000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1937825667.00000000054C0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2192977139.000000000569A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2123097354.000000000996A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2344961613.0000000003404000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2123903017.00000000097D4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2122269693.0000000009BCA000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2123875583.00000000097E8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.2475548142.0000000002C84000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2122269693.0000000009BC4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2125448522.00000000094A4000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2448939633.0000000003670000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.2417488250.0000000002CA2000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2125985747.0000000009322000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1835794814.00000000033D6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1938338473.000000000533E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2344407722.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2475688677.0000000003700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2122576556.0000000009AEC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2121489646.0000000009D4C000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1791336027.0000000003046000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2364662594.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2191894499.000000000599E000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2124897190.0000000009626000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1922339153.00000000057F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1763556310.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1937267098.0000000005638000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2091317406.0000000002F28000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.2345573749.0000000002E64000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2477412382.0000000002D46000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1791336027.0000000002F83000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1836664535.00000000031C8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2345472565.0000000002F58000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2345454228.0000000002F68000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2109675258.0000000009F22000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2388214190.0000000002D64000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1763556310.0000000003046000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1922339153.0000000005872000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2477412382.0000000002D42000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.1841999418.0000000002F84000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1936782689.0000000005864000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1896945017.0000000002D0E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1936782689.0000000005872000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1896921247.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2346576155.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1896907726.0000000002D2E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2343387489.00000000037A4000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2476787398.0000000002F38000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2476421922.00000000034CC000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2124361828.00000000096A6000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2477308623.0000000002E42000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2123875583.00000000097E4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2097701087.000000000A130000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1763556310.000000000328A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.2098162819.0000000009FC8000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1763556310.0000000003650000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000000.00000003.1763556310.00000000034CE000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: MALWARE_Win_Arechclient2, Description: Detects Arechclient2 RAT, Source: 00000000.00000003.1763556310.000000000340C000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:false

              Disassembly

              No disassembly