Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
Analysis ID:1537052
MD5:09289584ed12a81a0a2a2d6df31df6da
SHA1:26fb4b863c809c1dde042bf5fe9d1de98e694487
SHA256:2ce4cfe235350e3cb4f613e988203e8c6745db826bcb1f0aa2399d9427ef2357
Tags:exe
Infos:

Detection

XWorm
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
AI detected suspicious sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

  • System is w10x64
  • SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe (PID: 4404 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe" MD5: 09289584ED12A81A0A2A2D6DF31DF6DA)
    • RegAsm.exe (PID: 3724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • WerFault.exe (PID: 5712 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1628 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x6b42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x6bdf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6cf4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x69b4:$cnc4: POST / HTTP/1.1
    00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x6d5a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x6df7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6f0c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x6bcc:$cnc4: POST / HTTP/1.1
      Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4404JoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 1 entries
        SourceRuleDescriptionAuthorStrings
        1.2.RegAsm.exe.520000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          1.2.RegAsm.exe.520000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6d42:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6ddf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6ef4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6bb4:$cnc4: POST / HTTP/1.1
          No Sigma rule has matched
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeReversingLabs: Detection: 50%
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: 167.71.56.116
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: 22781
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: <123456789>
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: <Xwormmm>
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: XWorm V5.2
          Source: 1.2.RegAsm.exe.520000.0.unpackString decryptor: USB.exe
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: @&n.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: ?&nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: RegAsm.exe, 00000001.00000002.3715433178.00000000007DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: %%.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp, WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDBTt source: RegAsm.exe, 00000001.00000002.3715433178.000000000085B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdbSystem.Xml.ni.dll< source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: n0C:\Windows\mscorlib.pdbT source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: global trafficTCP traffic: 192.168.2.5:49707 -> 167.71.56.116:22781
          Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: unknownTCP traffic detected without corresponding DNS query: 167.71.56.116
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/gd_intermediate.crt0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository/gdroot.crl0K
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository0
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.godaddy.com/repository100.
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://certs.starfieldtech.com/repository/1/0-
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://crl.godaddy.com/gds5-16.crl0S
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://crl.starfieldtech.com/sfsroot.crl0S
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.godaddy.com/0J
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.godaddy.com0F
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: http://ocsp.starfieldtech.com/09
          Source: RegAsm.exe, 00000001.00000002.3716127904.00000000024B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeString found in binary or memory: https://certs.starfieldtech.com/repository/0

          System Summary

          barindex
          Source: 1.2.RegAsm.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_009183901_2_00918390
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_009156B81_2_009156B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00915F881_2_00915F88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_00910BA01_2_00910BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_009153701_2_00915370
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1628
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: invalid certificate
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Number of sections : 11 > 10
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe, 00000000.00000003.2069832510.000000007F4AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerawworm.exe4 vs SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 1.2.RegAsm.exe.520000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: classification engineClassification label: mal88.troj.evad.winEXE@4/5@0/1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\zHFSP3mGN1gkADEH
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3724
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\5b226642-a2d7-48b4-8615-c74bc97b5359Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeReversingLabs: Detection: 50%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1628
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: acgenral.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmmbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic file information: File size 2121456 > 1048576
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x13ee00
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: @&n.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: ?&nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: RegAsm.exe, 00000001.00000002.3715433178.00000000007DA000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Configuration.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbP source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: System.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: %%.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbMZ source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp, WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: mscorlib.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Management.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.PDBTt source: RegAsm.exe, 00000001.00000002.3715433178.000000000085B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Xml.pdbSystem.Xml.ni.dll< source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.ni.pdb source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER8BFA.tmp.dmp.7.dr
          Source: Binary string: n0C:\Windows\mscorlib.pdbT source: RegAsm.exe, 00000001.00000002.3717957275.0000000004D0A000.00000004.00000010.00020000.00000000.sdmp
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: real checksum: 0x211b73 should be: 0x20c29e
          Source: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeStatic PE information: section name: .didata
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 910000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 24B0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5809Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 4025Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6204Thread sleep time: -17524406870024063s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2876Thread sleep count: 5809 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2876Thread sleep count: 4025 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: RegAsm.exe, 00000001.00000002.3715433178.00000000007DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllyp
          Source: Amcache.hve.7.drBinary or memory string: VMware
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
          Source: Amcache.hve.7.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.7.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.7.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.7.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.7.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: Amcache.hve.7.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.7.drBinary or memory string: vmci.sys
          Source: Amcache.hve.7.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: Amcache.hve.7.drBinary or memory string: vmci.syshbin`
          Source: Amcache.hve.7.drBinary or memory string: \driver\vmci,\driver\pci
          Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.7.drBinary or memory string: VMware20,1
          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.7.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: Amcache.hve.7.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.7.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.7.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 520000 protect: page execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 520000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 520000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 522000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 52A000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 586000Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 2EA008Jump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Amcache.hve.7.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: RegAsm.exe, 00000001.00000002.3715433178.000000000085B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3718235626.00000000058E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.3715433178.00000000007DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: Amcache.hve.7.drBinary or memory string: MsMpEng.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 1.2.RegAsm.exe.520000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4404, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3724, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Source: Yara matchFile source: 1.2.RegAsm.exe.520000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe PID: 4404, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3724, type: MEMORYSTR
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
          Windows Management Instrumentation
          1
          DLL Side-Loading
          311
          Process Injection
          1
          Disable or Modify Tools
          OS Credential Dumping131
          Security Software Discovery
          Remote Services1
          Archive Collected Data
          1
          Encrypted Channel
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading
          141
          Virtualization/Sandbox Evasion
          LSASS Memory141
          Virtualization/Sandbox Evasion
          Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)311
          Process Injection
          Security Account Manager1
          Application Window Discovery
          SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          DLL Side-Loading
          NTDS13
          System Information Discovery
          Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe50%ReversingLabsWin32.Trojan.NeptuneLoader
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://upx.sf.net0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          No contacted domains info
          NameSourceMaliciousAntivirus DetectionReputation
          http://crl.godaddy.com/gds5-16.crl0SSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
            unknown
            http://certs.starfieldtech.com/repository/1/0-SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
              unknown
              https://certs.starfieldtech.com/repository/0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                unknown
                http://certificates.godaddy.com/repository/0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                  unknown
                  http://ocsp.starfieldtech.com/09SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                    unknown
                    http://certificates.godaddy.com/repository100.SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                      unknown
                      http://upx.sf.netAmcache.hve.7.drfalse
                      • URL Reputation: safe
                      unknown
                      http://certificates.starfieldtech.com/repository/1604SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                        unknown
                        http://certificates.godaddy.com/repository/gd_intermediate.crt0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                          unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000001.00000002.3716127904.00000000024B1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://crl.starfieldtech.com/sfsroot.crl0SSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                            unknown
                            http://certificates.godaddy.com/repository0SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                              unknown
                              http://certificates.godaddy.com/repository/gdroot.crl0KSecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exefalse
                                unknown
                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs
                                IPDomainCountryFlagASNASN NameMalicious
                                167.71.56.116
                                unknownUnited States
                                14061DIGITALOCEAN-ASNUStrue
                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1537052
                                Start date and time:2024-10-18 14:13:35 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 32s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Run name:Run with higher sleep bypass
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                Detection:MAL
                                Classification:mal88.troj.evad.winEXE@4/5@0/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 6
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                TimeTypeDescription
                                08:15:05API Interceptor1956166x Sleep call for process: RegAsm.exe modified
                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                167.71.56.116X.exeGet hashmaliciousXWormBrowse
                                  SecuriteInfo.com.Trojan.MulDrop23.34226.5725.23706.exeGet hashmaliciousXWormBrowse
                                    WinScanGuard_v.2.1.batGet hashmaliciousQuasarBrowse
                                      Shadow-Stealer.batGet hashmaliciousQuasarBrowse
                                        OvA6x5v34G.exeGet hashmaliciousAsyncRATBrowse
                                          zUYpYikG7T.exeGet hashmaliciousnjRatBrowse
                                            SdwkQEBnc3.exeGet hashmaliciousNanocoreBrowse
                                              riV1K85Awe.exeGet hashmaliciousNanocoreBrowse
                                                Malwarebytes Gears.exeGet hashmaliciousAsyncRATBrowse
                                                  No context
                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  DIGITALOCEAN-ASNUShttps://sites.google.com/view/hffgshfgsqfgsqf/homeGet hashmaliciousUnknownBrowse
                                                  • 138.68.75.10
                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  la.bot.arm7.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  earm5.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                  • 103.253.147.242
                                                  la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                                  • 103.253.147.242
                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                  • 162.243.19.47
                                                  No context
                                                  No context
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):65536
                                                  Entropy (8bit):1.2814736197578909
                                                  Encrypted:false
                                                  SSDEEP:192:dVjeFy/WZKN0BU/qaUtY3oXcULzuiFVZ24IO8V:ftAzBU/qaUtXcQzuiFVY4IO8V
                                                  MD5:F1C3B794BD374139296F91ABB3D46191
                                                  SHA1:918BC91617CDD35B67A2EDDAAA0DCEF031608572
                                                  SHA-256:1973189F6DCE93FB3495296662C22C2EC6BE0056F0E853B3E93F217B76DE413B
                                                  SHA-512:E9E9C407874C8BEECDDBDD93874C80F61A769954E55E0BBDB2AED081B75BF1FEA47EA916C60E842C7C33E60132FC78EC96D1E5FC91B4F5BF139E38BC6BAA9ACC
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.3.7.2.7.3.7.7.3.5.4.7.6.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.3.7.2.7.3.7.9.4.1.7.2.1.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.f.a.b.c.f.7.-.e.f.7.b.-.4.8.0.6.-.a.d.d.7.-.d.0.7.0.c.a.2.c.d.1.5.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.6.c.b.5.d.2.4.-.9.d.d.5.-.4.7.c.7.-.9.a.1.d.-.f.f.1.5.4.5.7.e.7.e.e.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.e.8.c.-.0.0.0.1.-.0.0.1.4.-.4.a.f.7.-.4.4.4.8.5.7.2.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.R.
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:Mini DuMP crash report, 14 streams, Fri Oct 18 12:16:19 2024, 0x1205a4 type
                                                  Category:dropped
                                                  Size (bytes):290141
                                                  Entropy (8bit):3.7033485185724424
                                                  Encrypted:false
                                                  SSDEEP:1536:Y4ClNpN4uE2aOcFZBWhuLTgEI3G5w7aSVXAjmAZI99T9CDpofRtTxD8MCWesWPJ0:Y4Y4uEqcFZFLTgE2+y4IIpaPFDXI
                                                  MD5:03603F512EBBDC9394322B3D8AFA17C1
                                                  SHA1:AC8F61E779FE5068BC6F592B378DFF25EBDD4795
                                                  SHA-256:E95CBEB2B2C7A4F3F95DD74E10F5B834F817C7A8DDAE3D4AE921AD22F70FBDDD
                                                  SHA-512:EA89874DF5C6E62D6CFDB9819D0C64B8418EC87A0F641E686641F0CA2CE5186A08F3D5D49D1E2ABFC97816F5115F7BEBFF2737FCA46382B1A4600367288876C3
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:MDMP..a..... ........Q.g........................t#..........."...f..........T.......8...........T............?...-..........P-..........</..............................................................................eJ......./......GenuineIntel............T...........%Q.g.... ........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):6376
                                                  Entropy (8bit):3.71529692948423
                                                  Encrypted:false
                                                  SSDEEP:192:R6l7wVeJsjf6aZxXYZOebpru89b4tMsfF61m:R6lXJWf6sxXY8eB6ffV
                                                  MD5:43689B6B8290B84327EEA2D715490543
                                                  SHA1:565509DCE4D34E3D55143A8A60B11517AFE0392E
                                                  SHA-256:6138B74DDAC2E9939BC92EC03FE30EF8E19D2CFBD22A41616E1F1081F8D67762
                                                  SHA-512:10F5A96A6676AA62DEB3B70404D7E6D62E56FE16EE36AB9974DA5D2CA04D8B42787337871F65773BEAEBDE1BB84D95AC9B992AB6F53B7A0298BDF3D29139C94E
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.7.2.4.<./.P.i.
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):4721
                                                  Entropy (8bit):4.441746063891815
                                                  Encrypted:false
                                                  SSDEEP:48:cvIwWl8zs7Jg77aI9roWpW8VYYYm8M4JfuyziF7D+q8vZyzeQgLuOLuard:uIjfVI7VB7VMJfuagKZaeBukuard
                                                  MD5:32590A0A78B07C6A99DB53F0D6F6A8E5
                                                  SHA1:E3F9AC744DB0546FCC3A25DFEA26F4F56006C44A
                                                  SHA-256:5C436A1083B88BD57354E451EECFBB35C9731C773788D04B84BC9396EBF892A8
                                                  SHA-512:F2B13D7CF5DAB7192CF1DBA382E825FD0BFA5892E8AFD27C8285BBB09D687FE92775F8AA790C04BF0F8BCDC72D82781CC10E16BF12D75071D349DD2CC449ADF2
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="548839" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409
                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                  File Type:MS Windows registry file, NT/2000 or above
                                                  Category:dropped
                                                  Size (bytes):1835008
                                                  Entropy (8bit):4.422358988559259
                                                  Encrypted:false
                                                  SSDEEP:6144:kSvfpi6ceLP/9skLmb0OTyWSPHaJG8nAgeMZMMhA2fX4WABlEnNk0uhiTw:vvloTyW+EZMM6DFye03w
                                                  MD5:5D06655C78C77FF7545C5BA1C3F29E95
                                                  SHA1:9D17550D676D79260C2F1CC8767D253CFC33A6FB
                                                  SHA-256:FAA9F37010676F4A241BAC1E12BFCF858BDC389E03AF93E95B6A7BC23E1AC808
                                                  SHA-512:CF845F05ACA0BB3F7CA4269B4794328161810741CFF2C130DF894E1832F68E477FE8FFA261A68E172AE7459459FAE02B608F3F886966FA34911F2956D1E2BAE0
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..F.W!...............................................................................................................................................................................................................................................................................................................................................@Q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.309641950556383
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.53%
                                                  • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  File name:SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                                  File size:2'121'456 bytes
                                                  MD5:09289584ed12a81a0a2a2d6df31df6da
                                                  SHA1:26fb4b863c809c1dde042bf5fe9d1de98e694487
                                                  SHA256:2ce4cfe235350e3cb4f613e988203e8c6745db826bcb1f0aa2399d9427ef2357
                                                  SHA512:e6d4cea771d4cdc0fa958aef23fc7f9ad575b2e49bec65e8b22fb2de5ce551de6936d052544004200a097410fbb7109b7d6f71d1c01889bb9b5e0dc53fb72ac7
                                                  SSDEEP:24576:QljLYQBtY2rLbnoQVNYRvobF5ZIMfffffffffffffffTEqNrK2Y/l6q3:QxbB7VYSMR/l6q3
                                                  TLSH:5AA5F703EF6452B5E93D36BA11B26BB5473BE52BDC8B480A59B3347F8A231D0382D355
                                                  File Content Preview:MZP.....................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................................................................
                                                  Icon Hash:2bbd7b3bbb91184c
                                                  Entrypoint:0x541228
                                                  Entrypoint Section:.itext
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6594420D [Tue Jan 2 17:04:13 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:6
                                                  OS Version Minor:0
                                                  File Version Major:6
                                                  File Version Minor:0
                                                  Subsystem Version Major:6
                                                  Subsystem Version Minor:0
                                                  Import Hash:c27196cb386d9c2fcebfe58d6b783f7f
                                                  Signature Valid:false
                                                  Signature Issuer:SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
                                                  Signature Validation Error:The digital signature of the object did not verify
                                                  Error Number:-2146869232
                                                  Not Before, Not After
                                                  • 23/04/2013 18:46:49 23/04/2016 18:46:49
                                                  Subject Chain
                                                  • CN=TallApplications BV, O=TallApplications BV, L=Grubbenvorst, S=Limburg, C=NL
                                                  Version:3
                                                  Thumbprint MD5:0CFB7685B54EF58E0DD65B242E82E080
                                                  Thumbprint SHA-1:2D5609B5B7FB15C2CCF27F91E6AF062511E37170
                                                  Thumbprint SHA-256:751E9D2F2901B771BE8DA1AFB24B2D3E51E4EA32B8E21CA425DD280701608FBA
                                                  Serial:07AD5CFABFBBAA
                                                  Instruction
                                                  push ebp
                                                  mov ebp, esp
                                                  mov ecx, 0000000Dh
                                                  push 00000000h
                                                  push 00000000h
                                                  dec ecx
                                                  jne 00007F91B8C2CB5Bh
                                                  push ebx
                                                  push esi
                                                  mov eax, 0053AF30h
                                                  call 00007F91B8AFCABEh
                                                  xor eax, eax
                                                  push ebp
                                                  push 00541838h
                                                  push dword ptr fs:[eax]
                                                  mov dword ptr fs:[eax], esp
                                                  mov dl, 01h
                                                  mov eax, dword ptr [0053ABCCh]
                                                  call 00007F91B8AF3CC4h
                                                  mov esi, eax
                                                  mov eax, 00561A68h
                                                  mov edx, esi
                                                  test edx, edx
                                                  je 00007F91B8C2CB65h
                                                  sub edx, FFFFFFF8h
                                                  call 00007F91B8AFA1B3h
                                                  xor eax, eax
                                                  mov dword ptr [ebp-14h], eax
                                                  xor ecx, ecx
                                                  push ebp
                                                  push 005417F9h
                                                  push dword ptr fs:[ecx]
                                                  mov dword ptr fs:[ecx], esp
                                                  lea edx, dword ptr [ebp-14h]
                                                  mov eax, 00000001h
                                                  call 00007F91B8C25227h
                                                  xor eax, eax
                                                  mov dword ptr [ebp-18h], eax
                                                  xor ecx, ecx
                                                  push ebp
                                                  push 005417DAh
                                                  push dword ptr fs:[ecx]
                                                  mov dword ptr fs:[ecx], esp
                                                  lea edx, dword ptr [ebp-18h]
                                                  mov eax, 00000002h
                                                  call 00007F91B8C25207h
                                                  mov edx, dword ptr [ebp-18h]
                                                  mov eax, edx
                                                  test eax, eax
                                                  je 00007F91B8C2CB67h
                                                  sub eax, 04h
                                                  mov eax, dword ptr [eax]
                                                  test eax, eax
                                                  jle 00007F91B8C2CB76h
                                                  mov eax, edx
                                                  test eax, eax
                                                  je 00007F91B8C2CB67h
                                                  sub eax, 04h
                                                  mov eax, dword ptr [eax]
                                                  lea edx, dword ptr [ebp-18h]
                                                  xchg eax, edx
                                                  call 00007F91B8AF65E5h
                                                  lea ecx, dword ptr [ebp-44h]
                                                  mov edx, 00541854h
                                                  mov eax, dword ptr [ebp-18h]
                                                  call 00007F91B8BBD9F9h
                                                  mov edx, dword ptr [ebp-44h]
                                                  mov eax, 00561A4Ch
                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x1640000x71.edata
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x1620000xeaa.idata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1800000x91842.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x204a000x14f0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1670000x18968.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x1660000x18.rdata
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x1622c40x24c.idata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x1630000x1ea.didata
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x13ec300x13ee00c51c6cb37ed5ce0e3f5505dc3ac403bcFalse0.36596019330654644data6.490706528468914IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .itext0x1400000x19340x1a007ac92331d0c7df1bc9e4c0d07104c159False0.5147235576923077data6.232517754168578IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .data0x1420000x182d40x18400a20ea187c764645fcd5c35d906f0f7f6False0.18651336984536082data5.281725279036479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .bss0x15b0000x6a6c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .idata0x1620000xeaa0x10003cf5ec88566996006540ea535e613c5cFalse0.352294921875zlib compressed data4.7520074705410895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .didata0x1630000x1ea0x20061251115c0a0c926bd55f02b7ec230a7False0.416015625firmware 100 v0 (revision 1915819520) (1\026 , version 52263.16640.35879 (region 2284852736), 0 bytes or less, UNKNOWN1 0x88301600, at 0 0 bytes , at 0 0 bytes , at 0x48534000 3226615808 bytes3.345822242610369IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .edata0x1640000x710x20093b1b87c3109e7fee7b3e8bb61ade18eFalse0.1796875data1.3456704524513246IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .tls0x1650000x200x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rdata0x1660000x5d0x200fdcc303ff40bb15074bd3ec3e38eac94False0.189453125data1.376875570449468IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x1670000x189680x18a0017ed0a2e57f1b8c5b6904d0a2d26f915False0.528216211928934data6.669990802122488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x1800000x918420x91a001608fa01be6fd3aefd5f8e76194afd48False0.1028014350858369data3.4961514116837944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x1806180xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.47681236673773986
                                                  RT_ICON0x1814c00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6078519855595668
                                                  RT_ICON0x181d680x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.4971198156682028
                                                  RT_ICON0x1824300x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.5852601156069365
                                                  RT_ICON0x1829980x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.30933609958506225
                                                  RT_ICON0x184f400x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.40384615384615385
                                                  RT_ICON0x185fe80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.4319672131147541
                                                  RT_ICON0x1869700x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5939716312056738
                                                  RT_STRING0x186dd80x33cdata0.4190821256038647
                                                  RT_STRING0x1871140x3dcdata0.2834008097165992
                                                  RT_STRING0x1874f00x370data0.4147727272727273
                                                  RT_STRING0x1878600x464data0.37277580071174377
                                                  RT_STRING0x187cc40x4a8data0.3213087248322148
                                                  RT_STRING0x18816c0x3d4data0.376530612244898
                                                  RT_STRING0x1885400x440data0.3704044117647059
                                                  RT_STRING0x1889800x1d0data0.40301724137931033
                                                  RT_STRING0x188b500xccdata0.6225490196078431
                                                  RT_STRING0x188c1c0x17cdata0.55
                                                  RT_STRING0x188d980x384data0.3811111111111111
                                                  RT_STRING0x18911c0x3e0data0.3326612903225806
                                                  RT_STRING0x1894fc0x368data0.37844036697247707
                                                  RT_STRING0x1898640x294data0.43787878787878787
                                                  RT_RCDATA0x189af80x10data1.5
                                                  RT_RCDATA0x189b080x40cdata0.5318532818532818
                                                  RT_GROUP_ICON0x189f140x76data0.6610169491525424
                                                  RT_VERSION0x189f8c0x4b8COM executable for DOSEnglishUnited States0.3120860927152318
                                                  RT_HTML0x18a4440x873f3data0.08053670679512104
                                                  RT_HTML0x2118380xaASCII text, with no line terminators1.8
                                                  DLLImport
                                                  kernel32.dllGetACP, CloseHandle, LocalFree, SizeofResource, ReadProcessMemory, QueryPerformanceFrequency, IsDebuggerPresent, VirtualFree, SetThreadContext, GetThreadContext, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, WriteProcessMemory, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, CopyFileW, LoadLibraryA, ResetEvent, GetVersion, FreeResource, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, ReleaseMutex, LoadResource, SuspendThread, GetTickCount, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, VirtualAllocEx, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, CreateMutexA, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, IsValidLocale, TlsSetValue, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, CreateEventW, SetThreadLocale, GetThreadLocale
                                                  user32.dllCharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, CharLowerBuffW, LoadStringW, CharUpperW, PeekMessageW, GetSystemMetrics, MessageBoxW
                                                  oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                  msvcrt.dllisupper, isalpha, isalnum, toupper, memchr, memcmp, memcpy, memset, isprint, isspace, iscntrl, isxdigit, ispunct, isgraph, islower, tolower
                                                  advapi32.dllRegQueryValueExW, RegCloseKey, RegOpenKeyExW
                                                  NameOrdinalAddress
                                                  __dbk_fcall_wrapper20x411070
                                                  dbkFCallWrapperAddr10x55e63c
                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States
                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 18, 2024 14:14:36.690715075 CEST4970722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:36.697316885 CEST2278149707167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:36.697484970 CEST4970722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:36.815943956 CEST4970722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:36.824618101 CEST2278149707167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:37.310111046 CEST2278149707167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:37.310301065 CEST4970722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:46.343274117 CEST4970722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:46.344312906 CEST4971222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:46.348234892 CEST2278149707167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:46.349278927 CEST2278149712167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:46.349350929 CEST4971222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:46.368906021 CEST4971222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:46.374063969 CEST2278149712167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:47.063462973 CEST2278149712167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:47.063566923 CEST4971222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:53.061878920 CEST4971222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:53.062823057 CEST4975422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:53.066788912 CEST2278149712167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:53.067640066 CEST2278149754167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:53.067712069 CEST4975422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:53.091876030 CEST4975422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:14:53.096684933 CEST2278149754167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:53.661736965 CEST2278149754167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:14:53.664793968 CEST4975422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:01.015125036 CEST4975422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:01.016333103 CEST4980122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:01.019990921 CEST2278149754167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:01.021215916 CEST2278149801167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:01.021313906 CEST4980122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:01.039937973 CEST4980122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:01.044819117 CEST2278149801167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:01.617418051 CEST2278149801167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:01.617556095 CEST4980122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:07.905783892 CEST4980122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:07.908209085 CEST4983922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:07.910633087 CEST2278149801167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:07.913065910 CEST2278149839167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:07.913146019 CEST4983922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:07.932156086 CEST4983922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:07.938252926 CEST2278149839167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:08.506584883 CEST2278149839167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:08.506680012 CEST4983922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:15.780467033 CEST4983922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:15.781683922 CEST4988522781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:15.785309076 CEST2278149839167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:15.786535025 CEST2278149885167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:15.786623955 CEST4988522781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:15.803605080 CEST4988522781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:15.808482885 CEST2278149885167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:16.418009996 CEST2278149885167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:16.418375969 CEST4988522781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:25.421592951 CEST4988522781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:25.422379971 CEST4994022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:25.426450014 CEST2278149885167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:25.427145958 CEST2278149940167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:25.427234888 CEST4994022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:25.445152044 CEST4994022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:25.449956894 CEST2278149940167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:26.016355038 CEST2278149940167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:26.016439915 CEST4994022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:31.124293089 CEST4994022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:31.128170967 CEST4996922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:31.129163980 CEST2278149940167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:31.133265972 CEST2278149969167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:31.133357048 CEST4996922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:31.179600000 CEST4996922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:31.185365915 CEST2278149969167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:31.733128071 CEST2278149969167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:31.733242989 CEST4996922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:38.405497074 CEST4996922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:38.407816887 CEST4998822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:38.414104939 CEST2278149969167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:38.415189028 CEST2278149988167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:38.420782089 CEST4998822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:38.438407898 CEST4998822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:38.444690943 CEST2278149988167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:39.041681051 CEST2278149988167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:39.044807911 CEST4998822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:44.356978893 CEST4998822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:44.359977961 CEST4998922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:44.362045050 CEST2278149988167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:44.365130901 CEST2278149989167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:44.365207911 CEST4998922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:44.636419058 CEST4998922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:44.651741028 CEST2278149989167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:44.969738960 CEST2278149989167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:44.969871044 CEST4998922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:53.437117100 CEST4998922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:53.439157009 CEST4999122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:53.442145109 CEST2278149989167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:53.444154978 CEST2278149991167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:53.444272995 CEST4999122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:53.484209061 CEST4999122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:15:53.489444971 CEST2278149991167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:54.048615932 CEST2278149991167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:15:54.048775911 CEST4999122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:02.905508995 CEST4999122781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:02.906759977 CEST4999222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:02.910660982 CEST2278149991167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:02.911787033 CEST2278149992167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:02.911900997 CEST4999222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:02.963968992 CEST4999222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:02.969211102 CEST2278149992167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:03.532654047 CEST2278149992167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:03.532751083 CEST4999222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:06.796629906 CEST4999222781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:06.799014091 CEST4999322781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:06.807024956 CEST2278149992167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:06.808754921 CEST2278149993167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:06.808976889 CEST4999322781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:06.982337952 CEST4999322781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:07.000596046 CEST2278149993167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:07.434456110 CEST2278149993167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:07.434520960 CEST4999322781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:11.141573906 CEST4999322781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:11.144608021 CEST4999422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:11.147054911 CEST2278149993167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:11.149610043 CEST2278149994167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:11.149679899 CEST4999422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:11.580806017 CEST4999422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:11.588001013 CEST2278149994167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:11.763159990 CEST2278149994167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:11.763247013 CEST4999422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:42.303075075 CEST4999422781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:42.306780100 CEST5000622781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:42.308146000 CEST2278149994167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:42.312840939 CEST2278150006167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:42.312948942 CEST5000622781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:42.358803988 CEST5000622781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:42.366482019 CEST2278150006167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:42.925292969 CEST2278150006167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:42.925364017 CEST5000622781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:47.452393055 CEST5000622781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:47.453150034 CEST5000722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:47.457622051 CEST2278150006167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:47.460371971 CEST2278150007167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:47.460481882 CEST5000722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:47.478496075 CEST5000722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:47.485121012 CEST2278150007167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:48.073215961 CEST2278150007167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:48.073339939 CEST5000722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:56.561638117 CEST5000722781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:56.562366009 CEST5000822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:56.567109108 CEST2278150007167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:56.567620993 CEST2278150008167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:56.567715883 CEST5000822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:56.583858013 CEST5000822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:16:56.589842081 CEST2278150008167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:57.180321932 CEST2278150008167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:16:57.180403948 CEST5000822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:03.593190908 CEST5000822781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:03.594907045 CEST5000922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:03.598175049 CEST2278150008167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:03.600013018 CEST2278150009167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:03.600141048 CEST5000922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:03.623584032 CEST5000922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:03.628757000 CEST2278150009167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:04.208605051 CEST2278150009167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:04.208681107 CEST5000922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:09.436639071 CEST5000922781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:09.437527895 CEST5001022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:09.441684008 CEST2278150009167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:09.442471981 CEST2278150010167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:09.442624092 CEST5001022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:09.462057114 CEST5001022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:09.467220068 CEST2278150010167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:10.046034098 CEST2278150010167.71.56.116192.168.2.5
                                                  Oct 18, 2024 14:17:10.046114922 CEST5001022781192.168.2.5167.71.56.116
                                                  Oct 18, 2024 14:17:15.227372885 CEST5001022781192.168.2.5167.71.56.116

                                                  Click to jump to process

                                                  Click to jump to process

                                                  Click to dive into process behavior distribution

                                                  Click to jump to process

                                                  Target ID:0
                                                  Start time:08:14:29
                                                  Start date:18/10/2024
                                                  Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Inject5.1262.5931.28554.exe"
                                                  Imagebase:0xa00000
                                                  File size:2'121'456 bytes
                                                  MD5 hash:09289584ED12A81A0A2A2D6DF31DF6DA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:Borland Delphi
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.2069832510.000000007F450000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  Target ID:1
                                                  Start time:08:14:29
                                                  Start date:18/10/2024
                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                  Imagebase:0x140000
                                                  File size:65'440 bytes
                                                  MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.3715073038.0000000000522000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:high
                                                  Has exited:true

                                                  Target ID:7
                                                  Start time:08:16:16
                                                  Start date:18/10/2024
                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1628
                                                  Imagebase:0x5f0000
                                                  File size:483'680 bytes
                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:18.8%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:224
                                                    Total number of Limit Nodes:19
                                                    execution_graph 7278 9118d8 7279 9118dc 7278->7279 7282 911bc1 7279->7282 7294 911cd8 7279->7294 7283 911bc8 7282->7283 7284 911cd6 7283->7284 7306 911f50 7283->7306 7320 911eed 7283->7320 7334 91211d 7283->7334 7348 911fb8 7283->7348 7362 912178 7283->7362 7375 911f24 7283->7375 7389 911f04 7283->7389 7403 911f14 7283->7403 7417 911e93 7283->7417 7284->7279 7296 911caf 7294->7296 7295 911cd6 7295->7279 7296->7295 7297 911f50 3 API calls 7296->7297 7298 911e93 3 API calls 7296->7298 7299 911f14 3 API calls 7296->7299 7300 911f04 3 API calls 7296->7300 7301 911f24 3 API calls 7296->7301 7302 912178 3 API calls 7296->7302 7303 911fb8 3 API calls 7296->7303 7304 91211d 3 API calls 7296->7304 7305 911eed 3 API calls 7296->7305 7297->7296 7298->7296 7299->7296 7300->7296 7301->7296 7302->7296 7303->7296 7304->7296 7305->7296 7308 911f55 7306->7308 7307 9120dd 7308->7307 7431 912bb0 7308->7431 7443 912d65 7308->7443 7455 912ba4 7308->7455 7467 912b6c 7308->7467 7309 91227e 7310 911f04 3 API calls 7309->7310 7311 912376 7310->7311 7312 911f04 3 API calls 7311->7312 7313 9123bf 7312->7313 7314 911f14 3 API calls 7313->7314 7315 91241b 7314->7315 7321 911e8c 7320->7321 7322 911e8a 7320->7322 7322->7320 7322->7321 7330 912bb0 3 API calls 7322->7330 7331 912d65 3 API calls 7322->7331 7332 912ba4 3 API calls 7322->7332 7333 912b6c 3 API calls 7322->7333 7323 91227e 7324 911f04 3 API calls 7323->7324 7325 912376 7324->7325 7326 911f04 3 API calls 7325->7326 7327 9123bf 7326->7327 7328 911f14 3 API calls 7327->7328 7329 91241b 7328->7329 7330->7323 7331->7323 7332->7323 7333->7323 7335 9120dd 7334->7335 7336 912125 7334->7336 7344 912bb0 3 API calls 7336->7344 7345 912d65 3 API calls 7336->7345 7346 912ba4 3 API calls 7336->7346 7347 912b6c 3 API calls 7336->7347 7337 91227e 7338 911f04 3 API calls 7337->7338 7339 912376 7338->7339 7340 911f04 3 API calls 7339->7340 7341 9123bf 7340->7341 7342 911f14 3 API calls 7341->7342 7343 91241b 7342->7343 7344->7337 7345->7337 7346->7337 7347->7337 7350 911fbd 7348->7350 7349 9120dd 7350->7349 7358 912bb0 3 API calls 7350->7358 7359 912d65 3 API calls 7350->7359 7360 912ba4 3 API calls 7350->7360 7361 912b6c 3 API calls 7350->7361 7351 91227e 7352 911f04 3 API calls 7351->7352 7353 912376 7352->7353 7354 911f04 3 API calls 7353->7354 7355 9123bf 7354->7355 7356 911f14 3 API calls 7355->7356 7357 91241b 7356->7357 7358->7351 7359->7351 7360->7351 7361->7351 7363 91219d 7362->7363 7371 912bb0 3 API calls 7363->7371 7372 912d65 3 API calls 7363->7372 7373 912ba4 3 API calls 7363->7373 7374 912b6c 3 API calls 7363->7374 7364 91227e 7365 911f04 3 API calls 7364->7365 7366 912376 7365->7366 7367 911f04 3 API calls 7366->7367 7368 9123bf 7367->7368 7369 911f14 3 API calls 7368->7369 7370 91241b 7369->7370 7371->7364 7372->7364 7373->7364 7374->7364 7377 911f29 7375->7377 7376 9120dd 7377->7376 7385 912bb0 3 API calls 7377->7385 7386 912d65 3 API calls 7377->7386 7387 912ba4 3 API calls 7377->7387 7388 912b6c 3 API calls 7377->7388 7378 91227e 7379 911f04 3 API calls 7378->7379 7380 912376 7379->7380 7381 911f04 3 API calls 7380->7381 7382 9123bf 7381->7382 7383 911f14 3 API calls 7382->7383 7384 91241b 7383->7384 7385->7378 7386->7378 7387->7378 7388->7378 7391 911ecd 7389->7391 7390 9120dd 7391->7390 7399 912bb0 3 API calls 7391->7399 7400 912d65 3 API calls 7391->7400 7401 912ba4 3 API calls 7391->7401 7402 912b6c 3 API calls 7391->7402 7392 91227e 7393 911f04 3 API calls 7392->7393 7394 912376 7393->7394 7395 911f04 3 API calls 7394->7395 7396 9123bf 7395->7396 7397 911f14 3 API calls 7396->7397 7398 91241b 7397->7398 7399->7392 7400->7392 7401->7392 7402->7392 7405 911ecd 7403->7405 7404 9120dd 7405->7404 7413 912bb0 3 API calls 7405->7413 7414 912d65 3 API calls 7405->7414 7415 912ba4 3 API calls 7405->7415 7416 912b6c 3 API calls 7405->7416 7406 91227e 7407 911f04 3 API calls 7406->7407 7408 912376 7407->7408 7409 911f04 3 API calls 7408->7409 7410 9123bf 7409->7410 7411 911f14 3 API calls 7410->7411 7412 91241b 7411->7412 7413->7406 7414->7406 7415->7406 7416->7406 7419 911ea1 7417->7419 7418 9120dd 7419->7418 7427 912bb0 3 API calls 7419->7427 7428 912d65 3 API calls 7419->7428 7429 912ba4 3 API calls 7419->7429 7430 912b6c 3 API calls 7419->7430 7420 91227e 7421 911f04 3 API calls 7420->7421 7422 912376 7421->7422 7423 911f04 3 API calls 7422->7423 7424 9123bf 7423->7424 7425 911f14 3 API calls 7424->7425 7426 91241b 7425->7426 7427->7420 7428->7420 7429->7420 7430->7420 7433 912b61 7431->7433 7432 912d55 7432->7309 7433->7431 7433->7432 7479 9130e9 7433->7479 7482 9130f8 7433->7482 7434 912ea1 7485 917543 7434->7485 7489 917550 7434->7489 7435 913079 7441 917cc0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 7435->7441 7442 917cb3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 7435->7442 7436 9130a4 7436->7309 7441->7436 7442->7436 7445 912d51 7443->7445 7444 912d55 7444->7309 7445->7444 7449 9130e9 3 API calls 7445->7449 7450 9130f8 3 API calls 7445->7450 7446 912ea1 7451 917550 3 API calls 7446->7451 7452 917543 3 API calls 7446->7452 7447 913079 7497 917cb3 7447->7497 7501 917cc0 7447->7501 7448 9130a4 7448->7309 7449->7446 7450->7446 7451->7447 7452->7447 7457 912b61 7455->7457 7456 912d55 7456->7309 7457->7455 7457->7456 7465 9130e9 3 API calls 7457->7465 7466 9130f8 3 API calls 7457->7466 7458 912ea1 7461 917550 3 API calls 7458->7461 7462 917543 3 API calls 7458->7462 7459 913079 7463 917cc0 3 API calls 7459->7463 7464 917cb3 3 API calls 7459->7464 7460 9130a4 7460->7309 7461->7459 7462->7459 7463->7460 7464->7460 7465->7458 7466->7458 7469 912b61 7467->7469 7468 912d55 7468->7309 7469->7468 7477 9130e9 3 API calls 7469->7477 7478 9130f8 3 API calls 7469->7478 7470 912ea1 7473 917550 3 API calls 7470->7473 7474 917543 3 API calls 7470->7474 7471 913079 7475 917cc0 3 API calls 7471->7475 7476 917cb3 3 API calls 7471->7476 7472 9130a4 7472->7309 7473->7471 7474->7471 7475->7472 7476->7472 7477->7470 7478->7470 7480 91311f 7479->7480 7493 9131b0 7479->7493 7480->7434 7484 9131b0 3 API calls 7482->7484 7483 91311f 7483->7434 7484->7483 7486 917577 7485->7486 7487 912b6c 3 API calls 7486->7487 7488 91759c 7487->7488 7490 917577 7489->7490 7491 912b6c 3 API calls 7490->7491 7492 91759c 7491->7492 7494 9131d4 7493->7494 7496 9131ff 7493->7496 7495 912b6c 3 API calls 7494->7495 7495->7496 7496->7480 7498 917cc0 7497->7498 7505 917f58 7498->7505 7499 917d47 7499->7448 7502 917ce5 7501->7502 7504 917f58 3 API calls 7502->7504 7503 917d47 7503->7448 7504->7503 7506 917f68 7505->7506 7510 917fa0 7506->7510 7518 917f93 7506->7518 7507 917f76 7507->7499 7511 917fd5 7510->7511 7512 917fad 7510->7512 7526 91792c 7511->7526 7512->7507 7514 917ff6 7514->7507 7516 9180be GlobalMemoryStatusEx 7517 9180ee 7516->7517 7517->7507 7519 917fa0 7518->7519 7520 917fad 7519->7520 7521 91792c GlobalMemoryStatusEx 7519->7521 7520->7507 7522 917ff2 7521->7522 7523 917ff6 7522->7523 7524 9180be GlobalMemoryStatusEx 7522->7524 7523->7507 7525 9180ee 7524->7525 7525->7507 7527 917933 GlobalMemoryStatusEx 7526->7527 7529 917ff2 7527->7529 7529->7514 7529->7516

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 201 918390-91839f 202 9183a1-9183a3 201->202 203 9183a8-9183b8 201->203 204 918781-918788 202->204 206 918789-9187fe 203->206 207 9183be-9183cc 203->207 207->206 210 9183d2 207->210 210->206 212 918651-918661 210->212 213 918513-918523 210->213 214 918435-918445 210->214 215 918736-918746 210->215 216 9183d9-9183e9 210->216 217 9186f9-918709 210->217 218 91855d-91856d 210->218 219 91847f-91848f 210->219 220 9185ff-91860f 210->220 221 9185a0-9185b0 210->221 222 9184c9-9184d9 210->222 223 9186a9-9186af 210->223 224 91876d-918779 210->224 225 918663-918669 212->225 226 91868d-9186a4 212->226 227 918525-91852b 213->227 228 918548-918558 213->228 233 918447-91844d 214->233 234 91846a-91847a 214->234 229 918761-91876b 215->229 230 918748-91874e 215->230 231 918416-918430 216->231 232 9183eb-9183f1 216->232 243 918724-918734 217->243 244 91870b-918711 217->244 235 91858b-91859b 218->235 236 91856f-918575 218->236 239 918491-918497 219->239 240 9184b4-9184c4 219->240 245 918611-918617 220->245 246 918633-91864c 220->246 241 9185b2-9185b8 221->241 242 9185df-9185fa 221->242 247 9184db-9184e1 222->247 248 9184fe-91850e 222->248 237 9186b1 223->237 238 9186b3 223->238 224->204 249 918677-918688 225->249 250 91866b-91866d 225->250 226->204 262 918539-918543 227->262 263 91852d-91852f 227->263 228->204 229->204 264 918750-918752 230->264 265 91875c-91875f 230->265 231->204 251 9183f3-9183f5 232->251 252 9183ff-918411 232->252 253 91845b-918465 233->253 254 91844f-918451 233->254 234->204 235->204 266 918583-918586 236->266 267 918577-918579 236->267 255 9186b5-9186b7 237->255 238->255 256 9184a5-9184af 239->256 257 918499-91849b 239->257 240->204 269 9185c6-9185da 241->269 270 9185ba-9185bc 241->270 242->204 243->204 258 918713-918715 244->258 259 91871f-918722 244->259 272 918625-91862e 245->272 273 918619-91861b 245->273 246->204 260 9184e3-9184e5 247->260 261 9184ef-9184f9 247->261 248->204 249->204 250->249 251->252 252->204 253->204 254->253 277 9186b9-9186c3 255->277 278 9186c8-9186f4 255->278 256->204 257->256 258->259 259->204 260->261 261->204 262->204 263->262 264->265 265->204 266->204 267->266 269->204 270->269 272->204 273->272 277->204 278->204
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LR]q$Xaq$dPx$dPx
                                                    • API String ID: 0-1477230151
                                                    • Opcode ID: 76a35184804a7c677eeafcfc8334da8f7674dcae21dff413c286a59b9e23245c
                                                    • Instruction ID: 2f1865b29969ee7b6932452bfe88287b0894656caba51de8fa23248563c7a527
                                                    • Opcode Fuzzy Hash: 76a35184804a7c677eeafcfc8334da8f7674dcae21dff413c286a59b9e23245c
                                                    • Instruction Fuzzy Hash: D0C16774F0461DCBDF185F6998842EE7AB6BF88701F3C4859D486A6284CF388C81EB65
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a74766de9992d6b342eacab42d90cd56cd029939ff4a9882affc63149cf79eb9
                                                    • Instruction ID: b4d05cf3ecfeb4c716c5dfef78c1580d6444fbb31577ac3a63f95c5d1166f5ee
                                                    • Opcode Fuzzy Hash: a74766de9992d6b342eacab42d90cd56cd029939ff4a9882affc63149cf79eb9
                                                    • Instruction Fuzzy Hash: 72B12B70F0060DDFDB10CFA9C9857DDBBF6AF88714F268129D815A7294EB749886CB81
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4792bb44f0610d5fcde6e8c8b12e5dfe2f1bd6d517a4ae67be48001c9ebec80f
                                                    • Instruction ID: 945236c2accf1668e72fd0f0c948589aa1944443e9c0db97fcc05f4c36a909a9
                                                    • Opcode Fuzzy Hash: 4792bb44f0610d5fcde6e8c8b12e5dfe2f1bd6d517a4ae67be48001c9ebec80f
                                                    • Instruction Fuzzy Hash: 4BB12770F002099FDB10CFA9C9857EDBBF6AF88314F248529D815E7294EB749886CB81

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 299 917fa0-917fab 300 917fd5-917ff4 call 91792c 299->300 301 917fad-917fd4 call 9167ac 299->301 307 917ff6-917ff9 300->307 308 917ffa-918059 300->308 315 91805b-91805e 308->315 316 91805f-9180ec GlobalMemoryStatusEx 308->316 319 9180f5-91811d 316->319 320 9180ee-9180f4 316->320 320->319
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: dPx
                                                    • API String ID: 0-1425678004
                                                    • Opcode ID: 7080952e30736ffc0739b18bfa612d65d614284d40a0384cf93a5fb6d931dfe9
                                                    • Instruction ID: b2ef6d56bd450da8f4e626c771c4797ef5a5308b223c6bb7637551a84cdedf6f
                                                    • Opcode Fuzzy Hash: 7080952e30736ffc0739b18bfa612d65d614284d40a0384cf93a5fb6d931dfe9
                                                    • Instruction Fuzzy Hash: 73412871E047998FCB05DFB9C4442EEBFF5EF89310F1585AAD408A7251DB789886CBA0

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 399 917999-9179a8 400 917933 399->400 401 9179aa-9179ab 399->401 402 918078-9180b6 400->402 401->402 403 9180be-9180ec GlobalMemoryStatusEx 402->403 404 9180f5-91811d 403->404 405 9180ee-9180f4 403->405 405->404
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00917FF2), ref: 009180DF
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 816060eb8e7d32e1ae532296f9d0fd053cdef87badcdeb312e240c646c18bf16
                                                    • Instruction ID: 6820047aa857d7e0ed6edd0d2d9b1436209ace40402ddafaf67dd60f0f2b5cb7
                                                    • Opcode Fuzzy Hash: 816060eb8e7d32e1ae532296f9d0fd053cdef87badcdeb312e240c646c18bf16
                                                    • Instruction Fuzzy Hash: 2B2188B1D0425A9FCB10CFAAC4446EEFBF4BF48310F15816AD418A7211D778A988CFA5

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 408 91792c-9180ec GlobalMemoryStatusEx 412 9180f5-91811d 408->412 413 9180ee-9180f4 408->413 413->412
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,00917FF2), ref: 009180DF
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 2b7e956bc0290e9f5ac8607dc067298ddd1e4e1f6a5a9b2166cff3a7b43dbacc
                                                    • Instruction ID: 3faf7523e73e884d043a83581ff5c8ced3d3a8c2c285dcc34b7ccfe33adce9b7
                                                    • Opcode Fuzzy Hash: 2b7e956bc0290e9f5ac8607dc067298ddd1e4e1f6a5a9b2166cff3a7b43dbacc
                                                    • Instruction Fuzzy Hash: 731103B1D006599BCB10DF9AC5446EEFBF4EF48310F10816AE818A7240D778A944CFE5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Xaq$dPx$dPx$$]q
                                                    • API String ID: 0-1294932634
                                                    • Opcode ID: 3caa8a023a81bce85ca073972e301dbf96b4d240ea1b42f1927abd4c2d00bc0a
                                                    • Instruction ID: 9994732b33655408d731da1593c71fdf45c130cd4a3ae6604cf6251684f5436a
                                                    • Opcode Fuzzy Hash: 3caa8a023a81bce85ca073972e301dbf96b4d240ea1b42f1927abd4c2d00bc0a
                                                    • Instruction Fuzzy Hash: CC817635F042189BCB18AF75985467E7BB7BFC8B10B148C2AD40AE7394DE39DC429B91
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.3715803757.0000000000910000.00000040.00000800.00020000.00000000.sdmp, Offset: 00910000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_910000_RegAsm.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b7b007183a097a56826223b4d322a461a03058c397443120e6cfa9359b33887
                                                    • Instruction ID: 9533892c7aab2f3cce294d67241b9c9f2d846bd8e757048f1d7245a6da31d067
                                                    • Opcode Fuzzy Hash: 2b7b007183a097a56826223b4d322a461a03058c397443120e6cfa9359b33887
                                                    • Instruction Fuzzy Hash: 3C914C70E0060DDFDB10CFA9C9857DDBBF6AF88304F168129E419A7294EB349886CF81