Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
Analysis ID:1537052
MD5:09289584ed12a81a0a2a2d6df31df6da
SHA1:26fb4b863c809c1dde042bf5fe9d1de98e694487
SHA256:2ce4cfe235350e3cb4f613e988203e8c6745db826bcb1f0aa2399d9427ef2357
Tags:exe
Infos:

Detection

XWorm
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe (PID: 4784 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe" MD5: 09289584ED12A81A0A2A2D6DF31DF6DA)
    • RegAsm.exe (PID: 1540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • WerFault.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1828 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6d5a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6df7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6f0c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x6bcc:$cnc4: POST / HTTP/1.1
    00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6b42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6bdf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6cf4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x69b4:$cnc4: POST / HTTP/1.1
      Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4784JoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        1.2.RegAsm.exe.e00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.RegAsm.exe.e00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6bb4:$cnc4: POST / HTTP/1.1
          No Sigma rule has matched
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-10-18T14:09:15.493292+020028559241Malware Command and Control Activity Detected192.168.2.750009167.71.56.11622781TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeReversingLabs: Detection: 50%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: 167.71.56.116
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: 22781
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: <123456789>
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: <Xwormmm>
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: XWorm V5.2
          Source: 1.2.RegAsm.exe.e00000.0.unpackString decryptor: USB.exe
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: mscorlib.pdbowp source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\RegAsm.pdb2 source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@ source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3137270552.000000000616C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb8S source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: orlib.pdbpdbi source: RegAsm.exe, 00000001.00000002.3132679665.0000000001309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbve source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Core.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: %%.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbSystem.Configuration.dll< source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: n.pdbD source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp, WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb) source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: Microsoft.VisualBasic.pdb* source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000001.00000002.3137270552.000000000616C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:50009 -> 167.71.56.116:22781
          Source: global trafficTCP traffic: 192.168.2.7:49714 -> 167.71.56.116:22781
          Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/gdroot.crl0K
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository100.
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certs.starfieldtech.com/repository/1/0-
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://crl.godaddy.com/gds5-16.crl0S
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://crl.starfieldtech.com/sfsroot.crl0S
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.godaddy.com/0J
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.godaddy.com0F
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.starfieldtech.com/09
          Source: RegAsm.exe, 00000001.00000002.3133252811.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: https://certs.starfieldtech.com/repository/0

          System Summary

          barindex
          Source: 1.2.RegAsm.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012283901_2_01228390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01225F881_2_01225F88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012256B81_2_012256B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012253701_2_01225370
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01220BA01_2_01220BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1828
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: invalid certificate
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Number of sections : 11 > 10
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe, 00000000.00000003.1286439675.000000007EC3D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerawworm.exe4 vs SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 1.2.RegAsm.exe.e00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: classification engineClassification label: mal96.troj.evad.winEXE@4/5@0/1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\zHFSP3mGN1gkADEH
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1540
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\41d91e62-cda1-44d0-ac06-c94da56fb8f8Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1828
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic file information: File size 2121456 > 1048576
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13ee00
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: mscorlib.pdbowp source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\RegAsm.pdb2 source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb@ source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3137270552.000000000616C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb8S source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Configuration.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: orlib.pdbpdbi source: RegAsm.exe, 00000001.00000002.3132679665.0000000001309000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbve source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Xml.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Core.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: %%.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdbSystem.Configuration.dll< source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: n.pdbD source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp, WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb) source: RegAsm.exe, 00000001.00000002.3137270552.0000000006158000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Management.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: Microsoft.VisualBasic.pdb* source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Core.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000001.00000002.3137270552.000000000616C000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: n0C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000001.00000002.3135293089.000000000544A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.ni.pdb source: WERE53E.tmp.dmp.10.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WERE53E.tmp.dmp.10.dr
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: real checksum: 0x211b73 should be: 0x20c29e
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: section name: .didata
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_01227223 push esp; ret 1_2_01227229
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1220000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4CF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9495Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 355Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3540Thread sleep time: -33204139332677172s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1240Thread sleep count: 9495 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1240Thread sleep count: 355 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.10.drBinary or memory string: VMware
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: Amcache.hve.10.drBinary or memory string: vmci.sys
          Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.10.drBinary or memory string: VMware20,1
          Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
          Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E00000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E00000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E00000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E02000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E0A000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E66000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C15008Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
          Source: RegAsm.exe, 00000001.00000002.3132679665.0000000001288000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3132679665.0000000001309000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 1.2.RegAsm.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4784, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1540, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 1.2.RegAsm.exe.e00000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4784, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1540, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation
          1
          DLL Side-Loading
          311
          Process Injection
          1
          Disable or Modify Tools
          OS Credential Dumping131
          Security Software Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          141
          Virtualization/Sandbox Evasion
          LSASS Memory141
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
          Process Injection
          Security Account Manager1
          Application Window Discovery
          SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading
          NTDS13
          System Information Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information
          LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe50%ReversingLabsWin32.Trojan.NeptuneLoader
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://upx.sf.net0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://crl.godaddy.com/gds5-16.crl0SSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
            unknown
            http://certs.starfieldtech.com/repository/1/0-SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
              unknown
              https://certs.starfieldtech.com/repository/0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                unknown
                http://certificates.godaddy.com/repository/0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                  unknown
                  http://ocsp.starfieldtech.com/09SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                    unknown
                    http://certificates.godaddy.com/repository100.SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                      unknown
                      http://upx.sf.netAmcache.hve.10.drfalse
                      • URL Reputation: safe
                      unknown
                      http://certificates.starfieldtech.com/repository/1604SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                        unknown
                        http://certificates.godaddy.com/repository/gd_intermediate.crt0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.3133252811.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://crl.starfieldtech.com/sfsroot.crl0SSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                            unknown
                            http://certificates.godaddy.com/repository0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                              unknown
                              http://certificates.godaddy.com/repository/gdroot.crl0KSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                167.71.56.116
                                unknownUnited States
                                14061DIGITALOCEAN-ASNUStrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1537052
                                Start date and time:2024-10-18 14:06:29 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 30s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:13
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                Detection:MAL
                                Classification:mal96.troj.evad.winEXE@4/5@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 6
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                TimeTypeDescription
                                08:07:34API Interceptor4449564x Sleep call for process: RegAsm.exe modified
                                09:18:37API Interceptor1x Sleep call for process: WerFault.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                167.71.56.116X.exeGet hashmaliciousXWormBrowse
                                  SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                    WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                      Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                        OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                          zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                            SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                              riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                  H8RZSly6dG.exeGet hashmaliciousNjratBrowse
                                                    No context
                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    DIGITALOCEAN-ASNUShttps://sites.google.com/view/hffgshfgsqfgsqf/homeGet hashmaliciousUnknownBrowse
                                                    • 138.68.75.10
                                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    earm5.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                    • 103.253.147.242
                                                    la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                    • 103.253.147.242
                                                    la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                    • 162.243.19.47
                                                    https://www.google.kz/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp%2F%E2%80%8Blu%C2%ADi%C2%ADse%C2%ADdu%C2%ADardo%C2%ADdias%E2%80%8B.c%C2%ADo%C2%ADm.b%C2%ADr/z/dGVjaG5pY2FsQGxtbS5ncg==Get hashmaliciousUnknownBrowse
                                                    • 161.35.71.107
                                                    No context
                                                    No context
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):65536
                                                    Entropy (8bit):1.2822384333069519
                                                    Encrypted:false
                                                    SSDEEP:192:9vvbeFy/uVKN0BU/qaUtY3oXcsxLzuiF/Z24IO8V5:9XluVzBU/qaUtXcEzuiF/Y4IO8V
                                                    MD5:FF3B4F929624F719F6213D7221D654A0
                                                    SHA1:A21803F753766BE95DFF1E6F531CBFF755F59653
                                                    SHA-256:A33925DFED8618B611C4C16E32BDE8CDAFF2359B799806507E7CDC53BEC29125
                                                    SHA-512:B37663E6905A81BA6B82375896A1C9084A778369ACE15BF3C6F61A089B96FB94F7DF99E602F9C02D6AC7080EA22D3D6E53C50041994DFF684C60D98B719A1F1D
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.7.3.1.1.0.2.1.3.6.6.8.3.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.7.3.1.1.0.2.6.5.2.3.7.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.a.f.7.7.8.3.5.-.1.e.6.1.-.4.3.2.6.-.8.8.5.2.-.8.f.3.7.b.1.8.4.a.f.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.1.8.7.4.a.8.-.4.4.a.6.-.4.b.8.e.-.b.5.c.8.-.0.4.d.8.1.f.d.0.5.7.4.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.0.4.-.0.0.0.1.-.0.0.1.4.-.9.f.5.f.-.2.4.4.c.5.6.2.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.R.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:Mini DuMP crash report, 14 streams, Fri Oct 18 13:18:22 2024, 0x1205a4 type
                                                    Category:dropped
                                                    Size (bytes):285655
                                                    Entropy (8bit):3.7766900047446073
                                                    Encrypted:false
                                                    SSDEEP:3072:V5UqWAQayI7U4uEqfMPvHfLTgo2QZeNzzU6BCjHtX8:DUqCayqU4yMTTgoVeN3UwCJs
                                                    MD5:D7FA7AB8DD9F1945937EA8312C76D905
                                                    SHA1:9C9C7B3A4567EC7EB962C7511C1D8588288A3AF4
                                                    SHA-256:0585D6D6255E589C2A1C9A9F00B800CFF42931E9A75EAB7BB3CF04A05656031B
                                                    SHA-512:2A95B0CE08EF3383DD1C9E41860C54C5A158A70CC6695975475F98A960A6AD17AAD11D0C0F3AB462D7E4BBAF2CD01B49190569CF12A4473E1D0559270768253F
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:MDMP..a..... ........`.g............t...........t#..|........"...`..........T.......8...........T............A...............,..........................................................................................eJ......t/......GenuineIntel............T...........~O.g....L........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):6378
                                                    Entropy (8bit):3.7148771222472727
                                                    Encrypted:false
                                                    SSDEEP:192:R6l7wVeJeYA6IwrrYZOxprD89bNsQ4sfEPm:R6lXJm6IQY8oNsQrfx
                                                    MD5:82589AD71B5EB95386839A616D9BB438
                                                    SHA1:9F2348AE29E828C4550D85FFF5F4C5C76BD6B7C7
                                                    SHA-256:F80B38C42D1953ADBFA8785AD867080D36B8666FAE889CEA8AA17951777F60FC
                                                    SHA-512:63527E95BEECE3981C56253E1EC4631BA94A5BAA158E8FD08261D7AC06904BBF03CD438D6EB44044249CC55ADC0005F626B79EEE1A9A4658419DD7D39713D630
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.4.0.<./.P.i.
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4721
                                                    Entropy (8bit):4.435752713483193
                                                    Encrypted:false
                                                    SSDEEP:48:cvIwWl8zsDJg77aI9QbWpW8VYPjYm8M4JfuyziF1I+q8vZyzc5QgLuOLuWrd:uIjfdI7aq7VXJfua0IKZac5BukuWrd
                                                    MD5:F6A05307147E900FF9552C670705A941
                                                    SHA1:B2D50E011BC6B438800B890D6B7E2DF3BF75780F
                                                    SHA-256:BBADF6ED4124B4C119D8876724DEF9EA77A6416D3D9E09E43BB96EB23521C1CE
                                                    SHA-512:D55184F3A875BF1E76608AB8F8BA14729E0F95E4FBEA6C554455AC4C50D0C15B3417E7C6A53E5C598669008DA9DCE9DEDF6918A2047F6D9BAD1CEC11576DA7C2
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="548901" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                    File Type:MS Windows registry file, NT/2000 or above
                                                    Category:dropped
                                                    Size (bytes):1835008
                                                    Entropy (8bit):4.417535697182074
                                                    Encrypted:false
                                                    SSDEEP:6144:Ocifpi6ceLPL9skLmb0mdSWSPtaJG8nAgex285i2MMhA20X4WABlGuNL5+:bi58dSWIZBk2MM6AFBlo
                                                    MD5:40313EB3A3CBB6751F70A0AF1FC1A91D
                                                    SHA1:82C9C7F685CBEEBCAE4B039713B66A417E949E0C
                                                    SHA-256:45F2799EA60DEB05A83874B39FEE44F1E5C0A110EC70DF6C887D7B7B6D0E6005
                                                    SHA-512:6DAB42C66AFC783CAA38FCD6EC1F1F2B983231E030E9AC8F9010387A155595DE611A89F27DE7754195F87AC6A2D2EFD415E4156E5EAF8D36E66327178EBCD804
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR.4`!...............................................................................................................................................................................................................................................................................................................................................0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):6.309641950556383
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.53%
                                                    • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    File name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                                    File size:2'121'456 bytes
                                                    MD5:09289584ed12a81a0a2a2d6df31df6da
                                                    SHA1:26fb4b863c809c1dde042bf5fe9d1de98e694487
                                                    SHA256:2ce4cfe235350e3cb4f613e988203e8c6745db826bcb1f0aa2399d9427ef2357
                                                    SHA512:e6d4cea771d4cdc0fa958aef23fc7f9ad575b2e49bec65e8b22fb2de5ce551de6936d052544004200a097410fbb7109b7d6f71d1c01889bb9b5e0dc53fb72ac7
                                                    SSDEEP:24576:QljLYQBtY2rLbnoQVNYRvobF5ZIMfffffffffffffffTEqNrK2Y/l6q3:QxbB7VYSMR/l6q3
                                                    TLSH:5AA5F703EF6452B5E93D36BA11B26BB5473BE52BDC8B480A59B3347F8A231D0382D355
                                                    File Content Preview:MZP.....................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................
                                                    Icon Hash:2bbd7b3bbb91184c
                                                    Entrypoint:0x541228
                                                    Entrypoint Section:.itext
                                                    Digitally signed:true
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6594420D [Tue Jan 2 17:04:13 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:6
                                                    OS Version Minor:0
                                                    File Version Major:6
                                                    File Version Minor:0
                                                    Subsystem Version Major:6
                                                    Subsystem Version Minor:0
                                                    Import Hash:c27196cb386d9c2fcebfe58d6b783f7f
                                                    Signature Valid:false
                                                    Signature Issuer:SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
                                                    Signature Validation Error:The digital signature of the object did not verify
                                                    Error Number:-2146869232
                                                    Not Before, Not After
                                                    • 23/04/2013 18:46:49 23/04/2016 18:46:49
                                                    Subject Chain
                                                    • CN=TallApplications BV, O=TallApplications BV, L=Grubbenvorst, S=Limburg, C=NL
                                                    Version:3
                                                    Thumbprint MD5:0CFB7685B54EF58E0DD65B242E82E080
                                                    Thumbprint SHA-1:2D5609B5B7FB15C2CCF27F91E6AF062511E37170
                                                    Thumbprint SHA-256:751E9D2F2901B771BE8DA1AFB24B2D3E51E4EA32B8E21CA425DD280701608FBA
                                                    Serial:07AD5CFABFBBAA
                                                    Instruction
                                                    push ebp
                                                    mov ebp, esp
                                                    mov ecx, 0000000Dh
                                                    push 00000000h
                                                    push 00000000h
                                                    dec ecx
                                                    jne 00007EFE1C6E85ABh
                                                    push ebx
                                                    push esi
                                                    mov eax, 0053AF30h
                                                    call 00007EFE1C5B850Eh
                                                    xor eax, eax
                                                    push ebp
                                                    push 00541838h
                                                    push dword ptr fs:[eax]
                                                    mov dword ptr fs:[eax], esp
                                                    mov dl, 01h
                                                    mov eax, dword ptr [0053ABCCh]
                                                    call 00007EFE1C5AF714h
                                                    mov esi, eax
                                                    mov eax, 00561A68h
                                                    mov edx, esi
                                                    test edx, edx
                                                    je 00007EFE1C6E85B5h
                                                    sub edx, FFFFFFF8h
                                                    call 00007EFE1C5B5C03h
                                                    xor eax, eax
                                                    mov dword ptr [ebp-14h], eax
                                                    xor ecx, ecx
                                                    push ebp
                                                    push 005417F9h
                                                    push dword ptr fs:[ecx]
                                                    mov dword ptr fs:[ecx], esp
                                                    lea edx, dword ptr [ebp-14h]
                                                    mov eax, 00000001h
                                                    call 00007EFE1C6E0C77h
                                                    xor eax, eax
                                                    mov dword ptr [ebp-18h], eax
                                                    xor ecx, ecx
                                                    push ebp
                                                    push 005417DAh
                                                    push dword ptr fs:[ecx]
                                                    mov dword ptr fs:[ecx], esp
                                                    lea edx, dword ptr [ebp-18h]
                                                    mov eax, 00000002h
                                                    call 00007EFE1C6E0C57h
                                                    mov edx, dword ptr [ebp-18h]
                                                    mov eax, edx
                                                    test eax, eax
                                                    je 00007EFE1C6E85B7h
                                                    sub eax, 04h
                                                    mov eax, dword ptr [eax]
                                                    test eax, eax
                                                    jle 00007EFE1C6E85C6h
                                                    mov eax, edx
                                                    test eax, eax
                                                    je 00007EFE1C6E85B7h
                                                    sub eax, 04h
                                                    mov eax, dword ptr [eax]
                                                    lea edx, dword ptr [ebp-18h]
                                                    xchg eax, edx
                                                    call 00007EFE1C5B2035h
                                                    lea ecx, dword ptr [ebp-44h]
                                                    mov edx, 00541854h
                                                    mov eax, dword ptr [ebp-18h]
                                                    call 00007EFE1C679449h
                                                    mov edx, dword ptr [ebp-44h]
                                                    mov eax, 00561A4Ch
                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x1640000x71.edata
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x1620000xeaa.idata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1800000x91842.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x204a000x14f0.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1670000x18968.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x1660000x18.rdata
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x1622c40x24c.idata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1630000x1ea.didata
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x13ec300x13ee00c51c6cb37ed5ce0e3f5505dc3ac403bcFalse0.36596019330654644data6.490706528468914IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .itext0x1400000x19340x1a007ac92331d0c7df1bc9e4c0d07104c159False0.5147235576923077data6.232517754168578IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .data0x1420000x182d40x18400a20ea187c764645fcd5c35d906f0f7f6False0.18651336984536082data5.281725279036479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .bss0x15b0000x6a6c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .idata0x1620000xeaa0x10003cf5ec88566996006540ea535e613c5cFalse0.352294921875zlib compressed data4.7520074705410895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .didata0x1630000x1ea0x20061251115c0a0c926bd55f02b7ec230a7False0.416015625firmware 100 v0 (revision 1915819520) (1\026 , version 52263.16640.35879 (region 2284852736), 0 bytes or less, UNKNOWN1 0x88301600, at 0 0 bytes , at 0 0 bytes , at 0x48534000 3226615808 bytes3.345822242610369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .edata0x1640000x710x20093b1b87c3109e7fee7b3e8bb61ade18eFalse0.1796875data1.3456704524513246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .tls0x1650000x200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rdata0x1660000x5d0x200fdcc303ff40bb15074bd3ec3e38eac94False0.189453125data1.376875570449468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1670000x189680x18a0017ed0a2e57f1b8c5b6904d0a2d26f915False0.528216211928934data6.669990802122488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x1800000x918420x91a001608fa01be6fd3aefd5f8e76194afd48False0.1028014350858369data3.4961514116837944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0x1806180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.47681236673773986
                                                    RT_ICON0x1814c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6078519855595668
                                                    RT_ICON0x181d680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.4971198156682028
                                                    RT_ICON0x1824300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.5852601156069365
                                                    RT_ICON0x1829980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.30933609958506225
                                                    RT_ICON0x184f400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.40384615384615385
                                                    RT_ICON0x185fe80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.4319672131147541
                                                    RT_ICON0x1869700x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5939716312056738
                                                    RT_STRING0x186dd80x33cdata0.4190821256038647
                                                    RT_STRING0x1871140x3dcdata0.2834008097165992
                                                    RT_STRING0x1874f00x370data0.4147727272727273
                                                    RT_STRING0x1878600x464data0.37277580071174377
                                                    RT_STRING0x187cc40x4a8data0.3213087248322148
                                                    RT_STRING0x18816c0x3d4data0.376530612244898
                                                    RT_STRING0x1885400x440data0.3704044117647059
                                                    RT_STRING0x1889800x1d0data0.40301724137931033
                                                    RT_STRING0x188b500xccdata0.6225490196078431
                                                    RT_STRING0x188c1c0x17cdata0.55
                                                    RT_STRING0x188d980x384data0.3811111111111111
                                                    RT_STRING0x18911c0x3e0data0.3326612903225806
                                                    RT_STRING0x1894fc0x368data0.37844036697247707
                                                    RT_STRING0x1898640x294data0.43787878787878787
                                                    RT_RCDATA0x189af80x10data1.5
                                                    RT_RCDATA0x189b080x40cdata0.5318532818532818
                                                    RT_GROUP_ICON0x189f140x76data0.6610169491525424
                                                    RT_VERSION0x189f8c0x4b8COM executable for DOSEnglishUnited States0.3120860927152318
                                                    RT_HTML0x18a4440x873f3data0.08053670679512104
                                                    RT_HTML0x2118380xaASCII text, with no line terminators1.8
                                                    DLLImport
                                                    kernel32.dllGetACP, CloseHandle, LocalFree, SizeofResource, ReadProcessMemory, QueryPerformanceFrequency, IsDebuggerPresent, VirtualFree, SetThreadContext, GetThreadContext, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, WriteProcessMemory, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, CopyFileW, LoadLibraryA, ResetEvent, GetVersion, FreeResource, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, LoadResource, SuspendThread, GetTickCount, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, VirtualAllocEx, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, CreateMutexA, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, IsValidLocale, TlsSetValue, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, CreateEventW, SetThreadLocale, GetThreadLocale
                                                    user32.dllCharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, CharLowerBuffW, LoadStringW, CharUpperW, PeekMessageW, GetSystemMetrics, MessageBoxW
                                                    oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                    msvcrt.dllisupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
                                                    advapi32.dllRegQueryValueExW, RegCloseKey, RegOpenKeyExW
                                                    NameOrdinalAddress
                                                    __dbk_fcall_wrapper20x411070
                                                    dbkFCallWrapperAddr10x55e63c
                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishUnited States
                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-10-18T14:09:15.493292+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.750009167.71.56.11622781TCP
                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Oct 18, 2024 14:07:35.197186947 CEST4971422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:35.202147961 CEST2278149714167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:35.202279091 CEST4971422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:35.299407959 CEST4971422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:35.304260969 CEST2278149714167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:35.807558060 CEST2278149714167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:35.807643890 CEST4971422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:39.695691109 CEST4971422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:39.696995974 CEST4974022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:39.700562000 CEST2278149714167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:39.701874971 CEST2278149740167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:39.701975107 CEST4974022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:39.725502968 CEST4974022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:39.730410099 CEST2278149740167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:40.323682070 CEST2278149740167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:40.323802948 CEST4974022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:43.039573908 CEST4974022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:43.040503979 CEST4975722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:43.064047098 CEST2278149740167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:43.064069033 CEST2278149757167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:43.064156055 CEST4975722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:43.088618994 CEST4975722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:43.093553066 CEST2278149757167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:43.675582886 CEST2278149757167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:43.675885916 CEST4975722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:47.891036034 CEST4975722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:47.893939018 CEST4978622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:47.895817995 CEST2278149757167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:47.898710966 CEST2278149786167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:47.898762941 CEST4978622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:48.072127104 CEST4978622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:48.077035904 CEST2278149786167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:48.505624056 CEST2278149786167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:48.505726099 CEST4978622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:51.570723057 CEST4978622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:51.572331905 CEST4980922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:51.575747967 CEST2278149786167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:51.578500986 CEST2278149809167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:51.578568935 CEST4980922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:51.640732050 CEST4980922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:51.645929098 CEST2278149809167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.188595057 CEST2278149809167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.188662052 CEST4980922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:52.289459944 CEST4980922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:52.290769100 CEST4981322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:52.295883894 CEST2278149809167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.296714067 CEST2278149813167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.296785116 CEST4981322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:52.321935892 CEST4981322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:52.326932907 CEST2278149813167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.913460970 CEST2278149813167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:52.913562059 CEST4981322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:57.461303949 CEST4981322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:57.462872982 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:57.466677904 CEST2278149813167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:57.467791080 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:57.467861891 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:57.493340015 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:57.498404026 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:58.683520079 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:58.683667898 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:58.683885098 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:58.683989048 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:07:58.684732914 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:07:58.684788942 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:01.758122921 CEST4984422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:01.759607077 CEST4986022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:01.763149977 CEST2278149844167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:01.764626026 CEST2278149860167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:01.764704943 CEST4986022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:01.782706022 CEST4986022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:01.790512085 CEST2278149860167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:02.361145020 CEST2278149860167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:02.361221075 CEST4986022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:06.477111101 CEST4986022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:06.478296041 CEST4989022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:06.483997107 CEST2278149860167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:06.484757900 CEST2278149890167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:06.484833002 CEST4989022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:06.501818895 CEST4989022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:06.511410952 CEST2278149890167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:07.098946095 CEST2278149890167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:07.099049091 CEST4989022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:11.461443901 CEST4989022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:11.462374926 CEST4991722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:11.467978001 CEST2278149890167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:11.468046904 CEST2278149917167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:11.468138933 CEST4991722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:11.484376907 CEST4991722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:11.489353895 CEST2278149917167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:12.082104921 CEST2278149917167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:12.082180977 CEST4991722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:14.414498091 CEST4991722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:14.416580915 CEST4993622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:14.419508934 CEST2278149917167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:14.421515942 CEST2278149936167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:14.421596050 CEST4993622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:14.451001883 CEST4993622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:14.455846071 CEST2278149936167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:15.046005964 CEST2278149936167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:15.046132088 CEST4993622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:17.320676088 CEST4993622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:17.322350025 CEST4995422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:17.325763941 CEST2278149936167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:17.327306032 CEST2278149954167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:17.327382088 CEST4995422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:17.346410990 CEST4995422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:17.352056980 CEST2278149954167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:17.930115938 CEST2278149954167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:17.930217981 CEST4995422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:19.805001974 CEST4995422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:19.805670023 CEST4996922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:19.810637951 CEST2278149954167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:19.813611031 CEST2278149969167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:19.813678980 CEST4996922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:19.828150988 CEST4996922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:19.833308935 CEST2278149969167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:20.442128897 CEST2278149969167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:20.442217112 CEST4996922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:21.789463043 CEST4996922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:21.790360928 CEST4998222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:21.794646978 CEST2278149969167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:21.799995899 CEST2278149982167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:21.800095081 CEST4998222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:21.815999031 CEST4998222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:21.823003054 CEST2278149982167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:22.500119925 CEST2278149982167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:22.500186920 CEST4998222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:23.765489101 CEST4998222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:23.769953966 CEST4998722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:23.779652119 CEST2278149982167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:23.780236959 CEST2278149987167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:23.780318975 CEST4998722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.376769066 CEST4998722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.383722067 CEST2278149987167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:24.386051893 CEST2278149987167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:24.386116982 CEST4998722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.445847988 CEST4998722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.450619936 CEST4998822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.450767040 CEST2278149987167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:24.455452919 CEST2278149988167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:24.455526114 CEST4998822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.561115980 CEST4998822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:24.566199064 CEST2278149988167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:25.053076029 CEST2278149988167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:25.053240061 CEST4998822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:26.383224010 CEST4998822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:26.384138107 CEST4998922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:26.388390064 CEST2278149988167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:26.389195919 CEST2278149989167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:26.389266014 CEST4998922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:26.407402992 CEST4998922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:26.412379026 CEST2278149989167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:26.986089945 CEST2278149989167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:26.986330986 CEST4998922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:28.042514086 CEST4998922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:28.045309067 CEST4999022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:28.047646999 CEST2278149989167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:28.050508976 CEST2278149990167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:28.050579071 CEST4999022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:28.124339104 CEST4999022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:28.129498959 CEST2278149990167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:28.651015043 CEST2278149990167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:28.651084900 CEST4999022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:29.289578915 CEST4999022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:29.291184902 CEST4999122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:29.295346975 CEST2278149990167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:29.296590090 CEST2278149991167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:29.296857119 CEST4999122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:29.313489914 CEST4999122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:29.320894957 CEST2278149991167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:29.894649029 CEST2278149991167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:29.894907951 CEST4999122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:30.617573977 CEST4999122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:30.618419886 CEST4999222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:30.622633934 CEST2278149991167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:30.623788118 CEST2278149992167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:30.623898983 CEST4999222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:30.643780947 CEST4999222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:30.648863077 CEST2278149992167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:31.245945930 CEST2278149992167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:31.246089935 CEST4999222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:31.539433002 CEST4999222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:31.540539980 CEST4999322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:31.544553041 CEST2278149992167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:31.545739889 CEST2278149993167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:31.545825958 CEST4999322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:31.567186117 CEST4999322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:31.572247982 CEST2278149993167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:32.341016054 CEST2278149993167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:32.341156006 CEST4999322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:32.399038076 CEST4999322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:32.400218010 CEST4999422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:32.404854059 CEST2278149993167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:32.405630112 CEST2278149994167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:32.405759096 CEST4999422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:32.427752972 CEST4999422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:32.432740927 CEST2278149994167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.020369053 CEST2278149994167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.020529985 CEST4999422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.258157015 CEST4999422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.259076118 CEST4999522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.263196945 CEST2278149994167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.264266968 CEST2278149995167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.264353991 CEST4999522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.280724049 CEST4999522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.286983013 CEST2278149995167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.882023096 CEST2278149995167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.882266045 CEST4999522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.978084087 CEST4999522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.979921103 CEST4999622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:33.985893011 CEST2278149995167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.986926079 CEST2278149996167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:33.987023115 CEST4999622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:34.006671906 CEST4999622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:34.012892008 CEST2278149996167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:34.608427048 CEST2278149996167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:34.608500957 CEST4999622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.008270979 CEST4999622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.008976936 CEST4999722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.022394896 CEST2278149996167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.024431944 CEST2278149997167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.024863958 CEST4999722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.040565014 CEST4999722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.046315908 CEST2278149997167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.640820980 CEST2278149997167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.640887022 CEST4999722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.743150949 CEST4999722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.745285034 CEST4999822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.749279022 CEST2278149997167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.752190113 CEST2278149998167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:35.752283096 CEST4999822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.794491053 CEST4999822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:35.799546003 CEST2278149998167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:36.361709118 CEST2278149998167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:36.361779928 CEST4999822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:36.539504051 CEST4999822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:36.541551113 CEST4999922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:36.544536114 CEST2278149998167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:36.547200918 CEST2278149999167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:36.547275066 CEST4999922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:36.579345942 CEST4999922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:36.584461927 CEST2278149999167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.148895979 CEST2278149999167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.152906895 CEST4999922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.258174896 CEST4999922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.260605097 CEST5000022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.263354063 CEST2278149999167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.265988111 CEST2278150000167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.266088963 CEST5000022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.291207075 CEST5000022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.308943033 CEST2278150000167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.880815983 CEST2278150000167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.880925894 CEST5000022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.883809090 CEST5000022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.885420084 CEST5000122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.888629913 CEST2278150000167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.890558004 CEST2278150001167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:37.890667915 CEST5000122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.911129951 CEST5000122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:37.916038036 CEST2278150001167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:38.492400885 CEST2278150001167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:38.492528915 CEST5000122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:38.493860006 CEST5000122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:38.498692036 CEST2278150001167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:38.514398098 CEST5000222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:38.519309998 CEST2278150002167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:38.520124912 CEST5000222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:38.542150021 CEST5000222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:38.547074080 CEST2278150002167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:39.117603064 CEST2278150002167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:39.117711067 CEST5000222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.883266926 CEST5000222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.884825945 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.888186932 CEST2278150002167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:43.890338898 CEST2278150003167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:43.890419960 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.940310001 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.945342064 CEST2278150003167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:43.956545115 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:43.961476088 CEST2278150003167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:44.499233007 CEST2278150003167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:44.499450922 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:48.961491108 CEST5000322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:48.962404013 CEST5000422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:48.966497898 CEST2278150003167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:48.967263937 CEST2278150004167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:48.967401028 CEST5000422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:49.004990101 CEST5000422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:49.010015011 CEST2278150004167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:49.576527119 CEST2278150004167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:49.576622009 CEST5000422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.148864031 CEST5000422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.153125048 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.154252052 CEST2278150004167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.158113003 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.158188105 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.201013088 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.205967903 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.227576017 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.232357025 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.461687088 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.466703892 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.493259907 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.498330116 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.508364916 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.513323069 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.540133953 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.545133114 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.602217913 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.607148886 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.617824078 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.622724056 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.695934057 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:54.701015949 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.764931917 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:54.765033960 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:59.742563009 CEST5000522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:59.745263100 CEST5000622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:59.747560024 CEST2278150005167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:59.750102997 CEST2278150006167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:08:59.750226974 CEST5000622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:59.860810995 CEST5000622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:08:59.865801096 CEST2278150006167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:00.349772930 CEST2278150006167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:00.349833965 CEST5000622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:04.883291006 CEST5000622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:04.884968996 CEST5000722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:04.888283014 CEST2278150006167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:04.889873981 CEST2278150007167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:04.889976978 CEST5000722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:04.919812918 CEST5000722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:04.924720049 CEST2278150007167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:05.485898972 CEST2278150007167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:05.485971928 CEST5000722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:09.930206060 CEST5000722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:09.932667971 CEST5000822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:09.935168028 CEST2278150007167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:09.937629938 CEST2278150008167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:09.937712908 CEST5000822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:10.125859976 CEST5000822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:10.130789995 CEST2278150008167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:10.548003912 CEST2278150008167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:10.548084974 CEST5000822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.415466070 CEST5000822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.417583942 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.420351028 CEST2278150008167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:15.422646046 CEST2278150009167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:15.422715902 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.471873999 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.476809978 CEST2278150009167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:15.493292093 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:15.499926090 CEST2278150009167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:16.031352043 CEST2278150009167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:16.031502962 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:20.867572069 CEST5000922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:20.868762016 CEST5001022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:20.872442007 CEST2278150009167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:20.873611927 CEST2278150010167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:20.873708010 CEST5001022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:20.972224951 CEST5001022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:20.977087021 CEST2278150010167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:21.470021963 CEST2278150010167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:21.470082998 CEST5001022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:26.039719105 CEST5001022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:26.042565107 CEST5001122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:26.045706034 CEST2278150010167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:26.048372984 CEST2278150011167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:26.048772097 CEST5001122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:26.087084055 CEST5001122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:26.092122078 CEST2278150011167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:26.651211023 CEST2278150011167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:26.651307106 CEST5001122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:31.938153028 CEST5001122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:31.941442966 CEST5001222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:31.943041086 CEST2278150011167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:31.946321011 CEST2278150012167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:31.946398973 CEST5001222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.388362885 CEST5001222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.393368006 CEST2278150012167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.550098896 CEST2278150012167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.550169945 CEST5001222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.551224947 CEST5001222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.553397894 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.556240082 CEST2278150012167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.558170080 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.558243990 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.615752935 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.620656013 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.867938995 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.872826099 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:32.883671999 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:32.888494968 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:33.163189888 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:33.163285971 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:37.977060080 CEST5001322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:37.980254889 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:37.981853008 CEST2278150013167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:37.985008001 CEST2278150014167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:37.985083103 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:38.031229019 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:38.036473989 CEST2278150014167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:38.164679050 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:38.169585943 CEST2278150014167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:38.596219063 CEST2278150014167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:38.596308947 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:43.273890972 CEST5001422781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:43.274960041 CEST5001522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:43.278939962 CEST2278150014167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:43.279769897 CEST2278150015167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:43.279838085 CEST5001522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:43.317435980 CEST5001522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:43.322319031 CEST2278150015167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:43.888209105 CEST2278150015167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:43.888807058 CEST5001522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:48.486605883 CEST5001522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:48.491509914 CEST2278150015167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:48.551410913 CEST5001622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:48.560668945 CEST2278150016167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:48.560745001 CEST5001622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:48.906105995 CEST5001622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:48.910912037 CEST2278150016167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.167678118 CEST2278150016167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.168912888 CEST5001622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.172003984 CEST5001622781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.177519083 CEST2278150016167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.178673029 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.183542013 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.184801102 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.227715015 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.232515097 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.383646011 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.388434887 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.586714029 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.591645956 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.743093014 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.747827053 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.781749964 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.781826973 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.781873941 CEST5001722781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.782481909 CEST5001822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.786675930 CEST2278150017167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.787282944 CEST2278150018167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:49.787333965 CEST5001822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.851553917 CEST5001822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:49.856333971 CEST2278150018167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:50.394187927 CEST2278150018167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:50.394471884 CEST5001822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:54.930239916 CEST5001822781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:54.932698965 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:54.935113907 CEST2278150018167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:54.937534094 CEST2278150019167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:54.937681913 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:55.030759096 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:55.035531998 CEST2278150019167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:55.289849997 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:09:55.297247887 CEST2278150019167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:55.533768892 CEST2278150019167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:09:55.533833981 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.352444887 CEST5001922781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.357409954 CEST2278150019167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:00.357465982 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.362287045 CEST2278150020167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:00.362366915 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.432243109 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.437050104 CEST2278150020167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:00.789944887 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:00.794847965 CEST2278150020167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:00.959506035 CEST2278150020167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:00.959755898 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:05.836426020 CEST5002022781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:05.839724064 CEST5002122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:05.841264963 CEST2278150020167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:05.844607115 CEST2278150021167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:05.844727039 CEST5002122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:06.029803038 CEST5002122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:06.034987926 CEST2278150021167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:06.432492018 CEST2278150021167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:06.432574034 CEST5002122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.315515041 CEST5002122781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.317900896 CEST5002222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.320324898 CEST2278150021167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.322726965 CEST2278150022167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.322809935 CEST5002222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.405093908 CEST5002222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.410057068 CEST2278150022167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.912229061 CEST2278150022167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.912312031 CEST5002222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.912414074 CEST5002222781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.913923025 CEST5002322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.917220116 CEST2278150022167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.918725014 CEST2278150023167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:11.918797016 CEST5002322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.946582079 CEST5002322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:11.951451063 CEST2278150023167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:12.510632992 CEST2278150023167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:12.510710955 CEST5002322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.040158987 CEST5002322781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.042043924 CEST5003522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.045203924 CEST2278150023167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:32.047333956 CEST2278150035167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:32.047422886 CEST5003522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.096044064 CEST5003522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.100893974 CEST2278150035167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:32.639133930 CEST2278150035167.71.56.116192.168.2.7
                                                    Oct 18, 2024 14:10:32.639329910 CEST5003522781192.168.2.7167.71.56.116
                                                    Oct 18, 2024 14:10:32.754971027 CEST5003522781192.168.2.7167.71.56.116

                                                    Click to jump to process

                                                    Click to jump to process

                                                    Click to dive into process behavior distribution

                                                    Click to jump to process

                                                    Target ID:0
                                                    Start time:08:07:26
                                                    Start date:18/10/2024
                                                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe"
                                                    Imagebase:0x720000
                                                    File size:2'121'456 bytes
                                                    MD5 hash:09289584ED12A81A0A2A2D6DF31DF6DA
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.1286439675.000000007EBE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    Target ID:1
                                                    Start time:08:07:26
                                                    Start date:18/10/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                    Imagebase:0x9f0000
                                                    File size:65'440 bytes
                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.3131831968.0000000000E02000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:high
                                                    Has exited:true

                                                    Target ID:10
                                                    Start time:09:18:21
                                                    Start date:18/10/2024
                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1828
                                                    Imagebase:0xe20000
                                                    File size:483'680 bytes
                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:16.9%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:61
                                                      Total number of Limit Nodes:9
                                                      execution_graph 6496 12218d8 6497 12218dc 6496->6497 6500 1221bc1 6497->6500 6505 1221cd8 6497->6505 6502 1221bc8 6500->6502 6501 1221cd6 6501->6497 6502->6501 6510 122216b 6502->6510 6516 1222178 6502->6516 6507 1221caf 6505->6507 6506 1221cd6 6506->6497 6507->6506 6508 122216b 3 API calls 6507->6508 6509 1222178 3 API calls 6507->6509 6508->6507 6509->6507 6511 1222178 6510->6511 6522 1222bc1 6511->6522 6528 1222d65 6511->6528 6534 1222d05 6511->6534 6512 122227e 6512->6512 6517 122219d 6516->6517 6519 1222bc1 3 API calls 6517->6519 6520 1222d05 3 API calls 6517->6520 6521 1222d65 3 API calls 6517->6521 6518 122227e 6518->6518 6519->6518 6520->6518 6521->6518 6524 1222bc6 6522->6524 6523 1222b6d 6523->6512 6524->6523 6540 1227cb3 6524->6540 6544 1227cc0 6524->6544 6525 12230a4 6525->6512 6530 1222d51 6528->6530 6529 1222d55 6529->6512 6530->6529 6532 1227cb3 3 API calls 6530->6532 6533 1227cc0 3 API calls 6530->6533 6531 12230a4 6531->6512 6532->6531 6533->6531 6536 1222cfd 6534->6536 6535 1222d55 6535->6512 6536->6535 6538 1227cb3 3 API calls 6536->6538 6539 1227cc0 3 API calls 6536->6539 6537 12230a4 6537->6512 6538->6537 6539->6537 6541 1227cc0 6540->6541 6548 1227f58 6541->6548 6542 1227d47 6542->6525 6545 1227ce5 6544->6545 6547 1227f58 3 API calls 6545->6547 6546 1227d47 6546->6525 6547->6546 6552 1227f93 6548->6552 6560 1227fa0 6548->6560 6549 1227f76 6549->6542 6553 1227fa0 6552->6553 6554 1227fad 6553->6554 6568 122792c 6553->6568 6554->6549 6556 1227ff6 6556->6549 6558 12280be GlobalMemoryStatusEx 6559 12280ee 6558->6559 6559->6549 6561 1227fd5 6560->6561 6562 1227fad 6560->6562 6563 122792c GlobalMemoryStatusEx 6561->6563 6562->6549 6565 1227ff2 6563->6565 6564 1227ff6 6564->6549 6565->6564 6566 12280be GlobalMemoryStatusEx 6565->6566 6567 12280ee 6566->6567 6567->6549 6569 1227933 GlobalMemoryStatusEx 6568->6569 6571 1227ff2 6569->6571 6571->6556 6571->6558

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 139 12256b8-122571e 141 1225720-122572b 139->141 142 1225768-122576a 139->142 141->142 143 122572d-1225739 141->143 144 122576c-1225785 142->144 145 122573b-1225745 143->145 146 122575c-1225766 143->146 150 12257d1-12257d3 144->150 151 1225787-1225793 144->151 147 1225747 145->147 148 1225749-1225758 145->148 146->144 147->148 148->148 152 122575a 148->152 154 12257d5-122582d 150->154 151->150 153 1225795-12257a1 151->153 152->146 155 12257a3-12257ad 153->155 156 12257c4-12257cf 153->156 163 1225877-1225879 154->163 164 122582f-122583a 154->164 157 12257b1-12257c0 155->157 158 12257af 155->158 156->154 157->157 160 12257c2 157->160 158->157 160->156 165 122587b-1225893 163->165 164->163 166 122583c-1225848 164->166 173 1225895-12258a0 165->173 174 12258dd-12258df 165->174 167 122584a-1225854 166->167 168 122586b-1225875 166->168 169 1225856 167->169 170 1225858-1225867 167->170 168->165 169->170 170->170 172 1225869 170->172 172->168 173->174 176 12258a2-12258ae 173->176 175 12258e1-1225932 174->175 184 1225938-1225946 175->184 177 12258b0-12258ba 176->177 178 12258d1-12258db 176->178 180 12258be-12258cd 177->180 181 12258bc 177->181 178->175 180->180 182 12258cf 180->182 181->180 182->178 185 1225948-122594e 184->185 186 122594f-12259af 184->186 185->186 193 12259b1-12259b5 186->193 194 12259bf-12259c3 186->194 193->194 195 12259b7 193->195 196 12259d3-12259d7 194->196 197 12259c5-12259c9 194->197 195->194 199 12259e7-12259eb 196->199 200 12259d9-12259dd 196->200 197->196 198 12259cb 197->198 198->196 201 12259fb-12259ff 199->201 202 12259ed-12259f1 199->202 200->199 203 12259df-12259e2 call 1221f34 200->203 206 1225a01-1225a05 201->206 207 1225a0f-1225a13 201->207 202->201 205 12259f3-12259f6 call 1221f34 202->205 203->199 205->201 206->207 209 1225a07-1225a0a call 1221f34 206->209 210 1225a23-1225a27 207->210 211 1225a15-1225a19 207->211 209->207 214 1225a37 210->214 215 1225a29-1225a2d 210->215 211->210 213 1225a1b 211->213 213->210 217 1225a38 214->217 215->214 216 1225a2f 215->216 216->214 217->217
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \V.m
                                                      • API String ID: 0-4037683661
                                                      • Opcode ID: 8e9439c87f7eb18f7a8e27b20fd58ad27bf6371eea648c1b9e6ea87a2f84fd7e
                                                      • Instruction ID: 0483cef14334627cee7b3eba1f09dfec71b666414156d7852e37de698da0cdd1
                                                      • Opcode Fuzzy Hash: 8e9439c87f7eb18f7a8e27b20fd58ad27bf6371eea648c1b9e6ea87a2f84fd7e
                                                      • Instruction Fuzzy Hash: 26B13F70E10259DFDB14CFA9C8857EDBBF2AF48314F24C129D915E7294EB749845CB81

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 612 1228390-122839f 613 12283a1-12283a3 612->613 614 12283a8-12283b8 612->614 615 1228781-1228788 613->615 617 1228789-12287fe 614->617 618 12283be-12283cc 614->618 618->617 621 12283d2 618->621 621->617 622 12285a0-12285b0 621->622 623 12284c9-12284d9 621->623 624 12286a9-12286af 621->624 625 122876d-1228779 621->625 626 1228513-1228523 621->626 627 1228651-1228661 621->627 628 1228736-1228746 621->628 629 1228435-1228445 621->629 630 12283d9-12283e9 621->630 631 12286f9-1228709 621->631 632 122847f-122848f 621->632 633 12285ff-122860f 621->633 634 122855d-122856d 621->634 642 12285b2-12285b8 622->642 643 12285df-12285fa 622->643 646 12284db-12284e1 623->646 647 12284fe-122850e 623->647 640 12286b3 624->640 641 12286b1 624->641 625->615 652 1228525-122852b 626->652 653 1228548-1228558 626->653 654 1228663-1228669 627->654 655 122868d-12286a4 627->655 656 1228761-122876b 628->656 657 1228748-122874e 628->657 636 1228447-122844d 629->636 637 122846a-122847a 629->637 658 1228416-1228430 630->658 659 12283eb-12283f1 630->659 648 1228724-1228734 631->648 649 122870b-1228711 631->649 644 1228491-1228497 632->644 645 12284b4-12284c4 632->645 650 1228633-122864c 633->650 651 1228611-1228617 633->651 638 122858b-122859b 634->638 639 122856f-1228575 634->639 672 122845b-1228465 636->672 673 122844f-1228451 636->673 637->615 638->615 661 1228583-1228586 639->661 662 1228577-1228579 639->662 674 12286b5-12286b7 640->674 641->674 663 12285c6-12285da 642->663 664 12285ba-12285bc 642->664 643->615 675 12284a5-12284af 644->675 676 1228499-122849b 644->676 645->615 677 12284e3-12284e5 646->677 678 12284ef-12284f9 646->678 647->615 648->615 679 1228713-1228715 649->679 680 122871f-1228722 649->680 650->615 666 1228625-122862e 651->666 667 1228619-122861b 651->667 681 1228539-1228543 652->681 682 122852d-122852f 652->682 653->615 668 1228677-1228688 654->668 669 122866b-122866d 654->669 655->615 656->615 683 1228750-1228752 657->683 684 122875c-122875f 657->684 658->615 670 12283f3-12283f5 659->670 671 12283ff-1228411 659->671 661->615 662->661 663->615 664->663 666->615 667->666 668->615 669->668 670->671 671->615 672->615 673->672 691 12286c8-12286f4 674->691 692 12286b9-12286c3 674->692 675->615 676->675 677->678 678->615 679->680 680->615 681->615 682->681 683->684 684->615 691->615 692->615
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 18e707955c5b4cdfd7ff65b12199aebab42c18b1a7d3babc98f13503ac1b0ddf
                                                      • Instruction ID: c8b4f5629fa480b43784f573b3ecd680720126f9849f4e37125ec33d9edd8921
                                                      • Opcode Fuzzy Hash: 18e707955c5b4cdfd7ff65b12199aebab42c18b1a7d3babc98f13503ac1b0ddf
                                                      • Instruction Fuzzy Hash: 75C1B478F1422ADBDF284F6995542BDBEF2BFC8300F684419D982B6248CB39C851DB65

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 710 1225f88-1225fee 712 1225ff0-1225ffb 710->712 713 1226038-122603a 710->713 712->713 715 1225ffd-1226009 712->715 714 122603c-1226055 713->714 722 12260a1-12260a3 714->722 723 1226057-1226063 714->723 716 122600b-1226015 715->716 717 122602c-1226036 715->717 718 1226017 716->718 719 1226019-1226028 716->719 717->714 718->719 719->719 721 122602a 719->721 721->717 724 12260a5-12260bd 722->724 723->722 725 1226065-1226071 723->725 732 1226107-1226109 724->732 733 12260bf-12260ca 724->733 726 1226073-122607d 725->726 727 1226094-122609f 725->727 728 1226081-1226090 726->728 729 122607f 726->729 727->724 728->728 731 1226092 728->731 729->728 731->727 734 122610b-1226123 732->734 733->732 735 12260cc-12260d8 733->735 741 1226125-1226130 734->741 742 122616d-122616f 734->742 736 12260da-12260e4 735->736 737 12260fb-1226105 735->737 739 12260e6 736->739 740 12260e8-12260f7 736->740 737->734 739->740 740->740 743 12260f9 740->743 741->742 744 1226132-122613e 741->744 745 1226171-12261e4 742->745 743->737 746 1226140-122614a 744->746 747 1226161-122616b 744->747 754 12261ea-12261f8 745->754 748 122614e-122615d 746->748 749 122614c 746->749 747->745 748->748 751 122615f 748->751 749->748 751->747 755 1226201-1226261 754->755 756 12261fa-1226200 754->756 763 1226263-1226267 755->763 764 1226271-1226275 755->764 756->755 763->764 765 1226269 763->765 766 1226277-122627b 764->766 767 1226285-1226289 764->767 765->764 766->767 770 122627d 766->770 768 122628b-122628f 767->768 769 1226299-122629d 767->769 768->769 771 1226291 768->771 772 122629f-12262a3 769->772 773 12262ad-12262b1 769->773 770->767 771->769 772->773 774 12262a5 772->774 775 12262b3-12262b7 773->775 776 12262c1-12262c5 773->776 774->773 775->776 777 12262b9-12262bc call 1221f34 775->777 778 12262c7-12262cb 776->778 779 12262d5 776->779 777->776 778->779 781 12262cd-12262d0 call 1221f34 778->781 782 12262d6 779->782 781->779 782->782
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55ad933b8d699351e51baaa10d7e88b381dd09ee074bfe901e2bec23bce32db2
                                                      • Instruction ID: 0e7c192a267aabc82f79fa6591804374613dca661095c4b6283ffa4f3610873c
                                                      • Opcode Fuzzy Hash: 55ad933b8d699351e51baaa10d7e88b381dd09ee074bfe901e2bec23bce32db2
                                                      • Instruction Fuzzy Hash: 1FB18071E102299FDF14CFA8C88579DBBF2BF89314F248229D914A7394EB749845CB81

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 97 1227fa0-1227fab 98 1227fd5-1227ff4 call 122792c 97->98 99 1227fad-1227fd4 call 12267ac 97->99 105 1227ff6-1227ff9 98->105 106 1227ffa-1228059 98->106 113 122805b-122805e 106->113 114 122805f-12280ec GlobalMemoryStatusEx 106->114 118 12280f5-122811d 114->118 119 12280ee-12280f4 114->119 119->118
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 182e18151ad84b1d02477a53001e07814009be6999f0142ef16df9e347544543
                                                      • Instruction ID: 1b97789fc8db68ad05a925e7fc428cc8a4cec5beb6feeecc09a4a78480a9bd05
                                                      • Opcode Fuzzy Hash: 182e18151ad84b1d02477a53001e07814009be6999f0142ef16df9e347544543
                                                      • Instruction Fuzzy Hash: 50412232E1435A9FDB14DF79C8007AEBBF5EF89220F14856AD508E7250EB78A841CBD0

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 122 1227999-12279a8 123 1227933 122->123 124 12279aa-12279ab 122->124 125 1228078-12280b6 123->125 124->125 126 12280be-12280ec GlobalMemoryStatusEx 125->126 127 12280f5-122811d 126->127 128 12280ee-12280f4 126->128 128->127
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,01227FF2), ref: 012280DF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: c01202eaab2a68ee549950e9ad1417895b6357090564e6ee4e4b2e4b85b6743a
                                                      • Instruction ID: 8b12a0c3077c0ad96bf72b6780a50046a1ef8f2b121d3a175f2179bc894850c6
                                                      • Opcode Fuzzy Hash: c01202eaab2a68ee549950e9ad1417895b6357090564e6ee4e4b2e4b85b6743a
                                                      • Instruction Fuzzy Hash: 2D2127B1C1066A9FCB20DF9AC444B9EFBF4FF48324F14816AD858A7240D778A945CFA5

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 131 122792c-12280ec GlobalMemoryStatusEx 135 12280f5-122811d 131->135 136 12280ee-12280f4 131->136 136->135
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,01227FF2), ref: 012280DF
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: 19647f51164e94d76c266b5381e922b3715edac98451612ea757207acbd6c6a9
                                                      • Instruction ID: ef4588aa9bfe23e1a9bcc53367e92920055309dedc82147ea80821db9dadba71
                                                      • Opcode Fuzzy Hash: 19647f51164e94d76c266b5381e922b3715edac98451612ea757207acbd6c6a9
                                                      • Instruction Fuzzy Hash: CE1117B1C1065A9BDB20DF9AC445BEEFBF4EB48310F10816AD918A7240D778A945CFA5
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: \V.m
                                                      • API String ID: 0-4037683661
                                                      • Opcode ID: 07ef574127e85001189405411e4208a2814162b9f4f140dcafc788632845074d
                                                      • Instruction ID: cb6b86524d26578ae2a4d6a0ab5e530ea4f25b59d609b1b6613b163481a7aa98
                                                      • Opcode Fuzzy Hash: 07ef574127e85001189405411e4208a2814162b9f4f140dcafc788632845074d
                                                      • Instruction Fuzzy Hash: 63917E70E10319AFDB24CFA9D8817EDBBF2AF88314F14C129E505EB254DB749845CB81
                                                      Memory Dump Source
                                                      • Source File: 00000001.00000002.3132628123.0000000001220000.00000040.00000800.00020000.00000000.sdmp, Offset: 01220000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_1_2_1220000_RegAsm.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee37840a3042cd6f5a7a98461e4a92dbdc8836ea344621e6eefa2106cce96f60
                                                      • Instruction ID: 7114faa299c6bb267a5eed168fdca7551df4fcbfa513be67eb671c1fefd66c95
                                                      • Opcode Fuzzy Hash: ee37840a3042cd6f5a7a98461e4a92dbdc8836ea344621e6eefa2106cce96f60
                                                      • Instruction Fuzzy Hash: A3818175F102189BDB28AF74885477E7AB6BFC8700B05892DF546E7388CE39C8428795