Edit tour

Windows Analysis Report
surfex.exe

Overview

General Information

Sample name:	surfex.exe
Analysis ID:	1577531
MD5:	1f4b0637137572a1fb34aaa033149506
SHA1:	c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA256:	60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
Tags:	18521511316185215113209bulletproofexeRedLineStealeruser-abus3reports
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected RedLine Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Installs new ROOT certificates

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops certificate files (DER)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

surfex.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\surfex.exe" MD5: 1F4B0637137572A1FB34AAA033149506)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7512 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.218.125.157:21441", "Bot Id": "TG@CVV88888", "Authorization Header": "7e02e4a11bbfb75ade695ae80e1693a0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: surfex.exe PID: 7412	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7520	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.surfex.exe.3665570.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
4.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.surfex.exe.3665570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: surfex.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: RedLine {"C2 url": "185.218.125.157:21441", "Bot Id": "TG@CVV88888", "Authorization Header": "7e02e4a11bbfb75ade695ae80e1693a0"}

Multi AV Scanner detection for submitted file

Source: surfex.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Source: surfex.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: surfex.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000004.00000002.2636262302.0000000005504000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\56zm\xzd9\obj\Releas\Zaq1.pdbpdb source: surfex.exe
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2633721942.0000000000B87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2636262302.00000000054F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2633840690.0000000000D71000.00000004.00000020.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.218.125.157:21441

Source: global traffic

TCP traffic: 192.168.2.9:49707 -> 185.218.125.157:21441

Source: Joe Sandbox View

ASN Name: QUICKPACKETUS QUICKPACKETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157
Source: unknown	TCP traffic detected without corresponding DNS query: 185.218.125.157

Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9i
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Responsex
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Responsex
Source: surfex.exe, 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp88CB.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp8949.tmp			Jump to dropped file

System Summary

.NET source code contains very large array initializations

Source: surfex.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 308224

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0294DC74	4_2_0294DC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_065067D8	4_2_065067D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0650A3E8	4_2_0650A3E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06503F50	4_2_06503F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0650A3D8	4_2_0650A3D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06506FF8	4_2_06506FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_06506FE8	4_2_06506FE8

Source: surfex.exe, 00000000.00000000.1378540597.0000000000340000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exeD vs surfex.exe
Source: surfex.exe, 00000000.00000002.1384266730.0000000003698000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBipolar.exe8 vs surfex.exe
Source: surfex.exe, 00000000.00000002.1383524196.000000000082E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs surfex.exe
Source: surfex.exe	Binary or memory string: OriginalFilenameVQP.exeD vs surfex.exe

Source: surfex.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: surfex.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@0/1

Source: C:\Users\user\Desktop\surfex.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\surfex.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\Tmp88CB.tmp

Jump to behavior

Source: surfex.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: surfex.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Program Files (x86)\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: surfex.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\surfex.exe "C:\Users\user\Desktop\surfex.exe"
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32

Jump to behavior

Source: Google Chrome.lnk.4.dr

LNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: surfex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: surfex.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: surfex.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: RegAsm.exe, 00000004.00000002.2636262302.0000000005504000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\56zm\xzd9\obj\Releas\Zaq1.pdbpdb source: surfex.exe
Source:	Binary string: C:\Windows\System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2633721942.0000000000B87000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2636262302.00000000054F7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: RegAsm.exe, 00000004.00000002.2633840690.0000000000D71000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0650ECF2 push eax; ret

4_2_0650ED01

Source: surfex.exe

Static PE information: section name: .text entropy: 7.996095896093537

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory allocated: 4660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe TID: 7508	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7524	Thread sleep time: -55000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\surfex.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2633840690.0000000000D71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: RegAsm.exe, 00000004.00000002.2636262302.0000000005504000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~

Source: C:\Users\user\Desktop\surfex.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\surfex.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\surfex.exe

Code function: 0_2_0266248D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0266248D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\surfex.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\surfex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000	Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 816008	Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\surfex.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\surfex.exe	Queries volume information: C:\Users\user\Desktop\surfex.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: surfex.exe, 00000000.00000002.1383524196.0000000000862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: surfex.exe, 00000000.00000002.1383524196.0000000000862000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.surfex.exe.3665570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.surfex.exe.3665570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: surfex.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 0.2.surfex.exe.3665570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.surfex.exe.3665570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: surfex.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7520, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
surfex.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
surfex.exe	100%	Avira	TR/AD.RedLineSteal.yzflb

Source	Detection	Scanner	Label	Link
185.218.125.157:21441	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
185.218.125.157:21441	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://tempuri.org/Entity/Id24LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Ent	RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.ip.sb/ip	surfex.exe, 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id9Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id6LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/	RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id3Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id14	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id12Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id18Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/soap/envelope/	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id15LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id19Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id17Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id20Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id3LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9i	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id4Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id21Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id23LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id7Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id2Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id11Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id22Response	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id1	RegAsm.exe, 00000004.00000002.2634444607.0000000002CAF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E39000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002C56000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002CFD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002DEA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F25000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002FC3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002F74000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000002D4C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id13Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16Responsex	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/Entity/Id16LR	RegAsm.exe, 00000004.00000002.2634444607.0000000003012000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2634444607.0000000003061000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.218.125.157	unknown	Germany		46261	QUICKPACKETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577531
Start date and time:	2024-12-18 15:07:29 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	surfex.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 79 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: surfex.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.218.125.157	YBO7mSI3Ul.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
QUICKPACKETUS	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	armv5l.elf	Get hash	malicious	Mirai	Browse	23.133.3.186
	elitebotnet.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	23.133.3.168
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	185.225.234.108
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	EeSNugjFh5.bat	Get hash	malicious	Unknown	Browse	193.26.115.21
	https://webradiojaguar.net/FNB-POP.pdf	Get hash	malicious	Unknown	Browse	172.82.129.154
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 08:16:16 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4563179169755576
Encrypted:	false
SSDEEP:	48:8S9dYT5H0lRYrnvPdAKRkdAGdAKRFdAKRz:8SIx7
MD5:	A2EA156492FE026929AEF7FBAF822CAA
SHA1:	27A79DCB903536F3626E24D4D92C2C37141B2BF6
SHA-256:	3FE976A7F0B76423AB7E51D9F4B3643231FDF7997EA7E754F45DA6D9EE0303FB
SHA-512:	E6E5F0A5FDADA05E5966AF33B21D3F69E07A42024DF530D22AC164DCCC9C1B086B9A9BB52C8B9B26C6ADFF436CEF00EE44822BAF48BB9BC298837FB2492DE403
Malicious:	false
Reputation:	low
Preview:	L..................F.@.. ......,....3...l....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.I..PROGRA~1..t......O.IEW.I....B...............J.....\...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW.F....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.F..Chrome..>......CW.VEW.F....M......................O..C.h.r.o.m.e.....`.1.....EW.F..APPLIC~1..H......CW.VEW.F.............................A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.I..........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\surfex.exe.log

Download File

Process:	C:\Users\user\Desktop\surfex.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Temp\Tmp88CB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp8949.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	7.645088805856235
Encrypted:	false
SSDEEP:	48:S7SjQDUW8LzvLzhNDlpMT3pmIcUSmwprWggmzCl05fpGmETeJaIv4:ASUD0TzhNT6fcUSmwprWm0GfJ3z4
MD5:	F5CB60C9F53DBE487550AC3178FBA7FB
SHA1:	B40BBF106C76F015514EFF58B1F1470FD4CBD7E6
SHA-256:	7C6BB885ACDA675190C630E57BBDA0442A7D2BB5EBE78CE9A1AC113F5D64E8C2
SHA-512:	C05F8EB725D1469B87FD18DD31E944C21B4F5FD84756A58CA4B21BC5BA7E85FA15E747E8187CFE9C23B6E74705B6741BAD2D3A389B18C0FEE93B8AE74FA7F68E
Malicious:	false
Preview:	........'...............P...............{41744BE4-11C5-494C-A213-BA0CE944938E}.....................RSA1..................v..XU~l2_.......vj....b.... ..&...X.Y...=q...).....`.1.0..~......5DL. ..S>.......<..y...?YOA.... eb.QD..B..<.!..'J..+.'...4fu.z./....]@.y.b...o...).j'......0}B.j..R..-..2.....'=...@....s....;. .v=..;...\$...G....2S....al.ZQ.Q...w...aXzW.....................z..O........P ..M.bjH.S.K....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...T.)...(\.B.a..y-.(.....QZ...s7.............. .....I..._y......&.5\n..B..>. ...P...i\vK]h-.=.C0...h;..\|,..E.:...b"`lq._i...'...U.......f....z.d.b..l....(~o.;.....q( ....p..r....q..A...R.x.....>...iDY.C.B...........v.........3k..>......7.=.....[K5..E.NqeV.Jag.K..... ....<&.\.a..z..D_Fi.3.._..R{%..~..XW....g.{!.....G..:.o...`.....nq%.C....ZQ"F. ...u_......m>..5....F.0....n...K...^ ..f.Gn....t9.....J.U..........XVvWR..U'2\|.;.....4.~....!u.{$...k>_.G...O_..\|.3...K......9=.2..]....u1.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.989033763427159
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	surfex.exe
File size:	317'952 bytes
MD5:	1f4b0637137572a1fb34aaa033149506
SHA1:	c209c9a60a752bc7980a3d9d53daf4b4b32973a9
SHA256:	60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648
SHA512:	4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86
SSDEEP:	6144:Zm1G61auNh8PDtyJvsHP+iVQmoc2RZ4cm++pBESrvD6ClOC:6GaxO5rHPkmojzAr6C8
TLSH:	126423D72DAF4656CE6E9FB754712004108D39226FC322E6F0AE586F3B6C55E84B0A3D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7o.f................................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44efce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C86F37 [Fri Aug 23 11:15:03 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4ef7c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x5e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4ee44	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4cfd4	0x4d000	cbd5d241232a937003daa032701256cd	False	0.993896484375	data	7.996095896093537	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0x5e0	0x600	d4088ec87242a60f1273a4380deae966	False	0.4368489583333333	data	4.148168320019589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0xc	0x200	7476045ea2e1d33a034524dd3f9b1bb4	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x500a0	0x350	data			0.43985849056603776
RT_MANIFEST	0x503f0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 15:08:43.440026999 CET	49707	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:43.559642076 CET	21441	49707	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:43.559772968 CET	49707	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:43.727916956 CET	49707	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:43.847784042 CET	21441	49707	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:45.729409933 CET	21441	49707	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:45.729527950 CET	49707	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:46.230369091 CET	49707	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:51.484071970 CET	49710	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:51.603598118 CET	21441	49710	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:51.603745937 CET	49710	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:51.604424000 CET	49710	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:51.724087000 CET	21441	49710	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:53.760962963 CET	21441	49710	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:53.761192083 CET	49710	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:53.761548996 CET	49710	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:58.767908096 CET	49711	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:58.887556076 CET	21441	49711	185.218.125.157	192.168.2.9
Dec 18, 2024 15:08:58.887722015 CET	49711	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:58.888799906 CET	49711	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:08:59.008260965 CET	21441	49711	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:01.075428009 CET	21441	49711	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:01.075812101 CET	49711	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:01.076935053 CET	49711	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:06.092375994 CET	49712	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:06.212094069 CET	21441	49712	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:06.212203979 CET	49712	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:06.212510109 CET	49712	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:06.332325935 CET	21441	49712	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:08.402425051 CET	21441	49712	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:08.402595997 CET	49712	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:08.402904987 CET	49712	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:13.420273066 CET	49713	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:13.540085077 CET	21441	49713	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:13.540185928 CET	49713	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:13.540509939 CET	49713	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:13.661287069 CET	21441	49713	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:15.780684948 CET	21441	49713	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:15.780817986 CET	49713	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:15.784630060 CET	49713	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:20.795639038 CET	49714	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:20.915241957 CET	21441	49714	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:20.915365934 CET	49714	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:20.915685892 CET	49714	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:21.035252094 CET	21441	49714	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:23.137145042 CET	21441	49714	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:23.137213945 CET	49714	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:23.137447119 CET	49714	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:28.154829979 CET	49716	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:28.274672985 CET	21441	49716	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:28.274888992 CET	49716	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:28.275285959 CET	49716	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:28.394875050 CET	21441	49716	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:30.479592085 CET	21441	49716	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:30.479780912 CET	49716	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:30.479949951 CET	49716	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:35.483935118 CET	49717	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:35.603574991 CET	21441	49717	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:35.603737116 CET	49717	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:35.620699883 CET	49717	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:35.740336895 CET	21441	49717	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:37.782433033 CET	21441	49717	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:37.782526016 CET	49717	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:37.782798052 CET	49717	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:42.798254967 CET	49718	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:42.918301105 CET	21441	49718	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:42.918436050 CET	49718	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:42.919213057 CET	49718	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:43.040357113 CET	21441	49718	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:45.152811050 CET	21441	49718	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:45.152951956 CET	49718	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:45.153156996 CET	49718	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:50.226567984 CET	49719	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:50.347568035 CET	21441	49719	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:50.347687960 CET	49719	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:50.350332975 CET	49719	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:50.469953060 CET	21441	49719	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:52.498087883 CET	21441	49719	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:52.498168945 CET	49719	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:52.498397112 CET	49719	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:57.514719009 CET	49720	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:57.636367083 CET	21441	49720	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:57.636558056 CET	49720	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:57.637403011 CET	49720	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:57.757251978 CET	21441	49720	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:59.870657921 CET	21441	49720	185.218.125.157	192.168.2.9
Dec 18, 2024 15:09:59.870794058 CET	49720	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:09:59.871069908 CET	49720	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:04.873624086 CET	49721	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:04.993874073 CET	21441	49721	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:04.994072914 CET	49721	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:05.025217056 CET	49721	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:05.144876957 CET	21441	49721	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:07.168890953 CET	21441	49721	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:07.169195890 CET	49721	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:07.169423103 CET	49721	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:12.186258078 CET	49722	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:12.305913925 CET	21441	49722	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:12.306035042 CET	49722	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:12.306345940 CET	49722	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:12.425860882 CET	21441	49722	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:14.488379955 CET	21441	49722	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:14.488441944 CET	49722	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:14.488650084 CET	49722	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:19.521166086 CET	49723	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:19.640818119 CET	21441	49723	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:19.640934944 CET	49723	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:19.643534899 CET	49723	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:19.764132977 CET	21441	49723	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:21.903701067 CET	21441	49723	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:21.903799057 CET	49723	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:21.904107094 CET	49723	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:26.921451092 CET	49724	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:27.041063070 CET	21441	49724	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:27.041215897 CET	49724	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:27.041570902 CET	49724	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:27.161353111 CET	21441	49724	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:29.219188929 CET	21441	49724	185.218.125.157	192.168.2.9
Dec 18, 2024 15:10:29.219286919 CET	49724	21441	192.168.2.9	185.218.125.157
Dec 18, 2024 15:10:29.443725109 CET	49724	21441	192.168.2.9	185.218.125.157

Target ID:	0
Start time:	09:08:24
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\surfex.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\surfex.exe"
Imagebase:	0x2f0000
File size:	317'952 bytes
MD5 hash:	1F4B0637137572A1FB34AAA033149506
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1384266730.0000000003665000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:08:25
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:08:25
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x370000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:08:25
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7e0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000002.2633603062.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.8%
Total number of Nodes:	31
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0266248D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,026623FF,026623EF), ref: 026625FC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 0266260F
Wow64GetThreadContext.KERNEL32(00000308,00000000), ref: 0266262D
ReadProcessMemory.KERNELBASE(00000304,?,02662443,00000004,00000000), ref: 02662651
VirtualAllocEx.KERNELBASE(00000304,?,?,00003000,00000040), ref: 0266267C
TerminateProcess.KERNELBASE(00000304,00000000), ref: 0266269B
WriteProcessMemory.KERNELBASE(00000304,00000000,?,?,00000000,?), ref: 026626D4
WriteProcessMemory.KERNELBASE(00000304,00400000,?,?,00000000,?,00000028), ref: 0266271F
WriteProcessMemory.KERNELBASE(00000304,?,?,00000004,00000000), ref: 0266275D
Wow64SetThreadContext.KERNEL32(00000308,024D0000), ref: 02662799
ResumeThread.KERNELBASE(00000308), ref: 026627A8

Strings

aryA, xrefs: 026624D3
VirtualAlloc, xrefs: 02662554
CreateProcessA, xrefs: 02662541
GetP, xrefs: 0266250F
TerminateProcess, xrefs: 0266268B
GetThreadContext, xrefs: 02662567
Load, xrefs: 026624CB
ResumeThread, xrefs: 026625C9
WriteProcessMemory, xrefs: 026625A0
VirtualAllocEx, xrefs: 0266258D
ReadProcessMemory, xrefs: 0266257A
SetThreadContext, xrefs: 026625B3
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 026625FB
ress, xrefs: 02662517

Memory Dump Source

Source File: 00000000.00000002.1384242704.0000000002662000.00000040.00000800.00020000.00000000.sdmp, Offset: 02662000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2662000_surfex.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 1dea4f9923421510dcd353eaf19576ef93eb4327d46877acf6a30357f1800947
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: F1B1D67664024AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 024A0C90 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03663590,?,?,?,?,?,?,2C8300BD,718AD5F1,?,024A0A2D,?,00000040,?), ref: 024A0EDC

Memory Dump Source

Source File: 00000000.00000002.1384094039.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_surfex.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 277ca324607d66a9445b49eebb3861a588dc1c8de310d3732546063c10ae6a78
Instruction ID: cef1d4bff1da2885d6afef8ead9cd3effc12a89bfbedb2c5851fb400b861e7cf
Opcode Fuzzy Hash: 277ca324607d66a9445b49eebb3861a588dc1c8de310d3732546063c10ae6a78
Instruction Fuzzy Hash: ED710472D142668FCB10CFA9C8907EEFFF1BF54204F1495AAD468EB252C3759841CBA0

Function 024A04FC Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03663590,?,?,?,?,?,?,2C8300BD,718AD5F1,?,024A0A2D,?,00000040,?), ref: 024A0EDC

Memory Dump Source

Source File: 00000000.00000002.1384094039.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_surfex.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 10e6c35b8743ef6d903ffc036c1fb26f032ff1f813f32a362ddebfba1539f074
Instruction ID: 68584a4f5a35c762e49e7cecf1b44457949781af7f47125edce4fc2e9689601d
Opcode Fuzzy Hash: 10e6c35b8743ef6d903ffc036c1fb26f032ff1f813f32a362ddebfba1539f074
Instruction Fuzzy Hash: 0721EDB591025DAFCB10DF9AD884BDEFBB4FF09310F10812AEA18A7340C374A954CBA1

Function 024A04E4 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,2C8300BD,718AD5F1,?,024A09D3), ref: 024A0BA4

Memory Dump Source

Source File: 00000000.00000002.1384094039.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_surfex.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 35009f40f009efb54dd7941fae0564964fbde18a01d328655bf804854fb3b013
Instruction ID: 3a990da568b44c93162cecb285e8cffc1be56a25e04aa2abbba606bb89045c36
Opcode Fuzzy Hash: 35009f40f009efb54dd7941fae0564964fbde18a01d328655bf804854fb3b013
Instruction Fuzzy Hash: 9E1130B59003498FDB20DF9AC544BDEFBF4EB48328F20846AD519A7340D378A944CFA0

Function 024A0B41 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,2C8300BD,718AD5F1,?,024A09D3), ref: 024A0BA4

Memory Dump Source

Source File: 00000000.00000002.1384094039.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_surfex.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: c7730a3ea6087398ea92fa2e9fe3662cff6e67441b60291caf5d13fc06d04d3b
Instruction ID: c16d761c99d8103b4e0a47e177ab05f5eb3ed646ca482bc117094241557f858a
Opcode Fuzzy Hash: c7730a3ea6087398ea92fa2e9fe3662cff6e67441b60291caf5d13fc06d04d3b
Instruction Fuzzy Hash: E21122B58003498FDB20CF9AC584BDEBBF4EB48324F20845AD519A7350D378A944CFA0

Analysis Process: RegAsm.exePID: 7520, Parent PID: 7412COMMON

Execution Graph

Execution Coverage:	7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	3

Executed Functions

Function 06503F50 Relevance: .5, Instructions: 522
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2740e53401ea8a65db1a6edd28e66af6a9f1f0d031e4c7c1610c08aef9c11bc0
Instruction ID: 8b053c0e5b9571e27a2715b157140733f92523d82c29b06d419de4e33eb4d702
Opcode Fuzzy Hash: 2740e53401ea8a65db1a6edd28e66af6a9f1f0d031e4c7c1610c08aef9c11bc0
Instruction Fuzzy Hash: D6125D34B00205DFEB54DF69C494AAEBBF6BF88600B158569D906EB3A5DF31DC41CB90

Function 065067D8 Relevance: .4, Instructions: 411
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1596f7260baa52c8b4bd0810f51e05b6556d9d501c6be0a7e6856cc42b194a18
Instruction ID: a2a4b40a7096abbb41474c1bb7fde3d2aa88e891e0c34074cefca49e5ad4caf9
Opcode Fuzzy Hash: 1596f7260baa52c8b4bd0810f51e05b6556d9d501c6be0a7e6856cc42b194a18
Instruction Fuzzy Hash: B9F1BF74A002099FEB54DF68D890B9EBBF2FF88300F158569E505EB2A1DB30ED55CB91

Function 0650A3D8 Relevance: .3, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3485489c1d091a8fa0cb2be7ebd6b1171fca644d97aa8f7f7fe8937f06b7a1d9
Instruction ID: f3b755b55d89be6f3a56478f9e5ee041eb5a8271b979bf5d2b6d4c2cf272527d
Opcode Fuzzy Hash: 3485489c1d091a8fa0cb2be7ebd6b1171fca644d97aa8f7f7fe8937f06b7a1d9
Instruction Fuzzy Hash: BAD1D474D00218CFDB58EFB4D854A9DBBB2FF8A301F1085A9D51AAB254DB31998ACF11

Function 0650A3E8 Relevance: .3, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8ebef83ca2cc599a9b6ee3d704b36d2b4c587447c60c189511c98a26a945de
Instruction ID: 2fdb26d82de5684bc9a7bbfaeb8c5162b434eb6beb2d4faca4c711b0d16d98a8
Opcode Fuzzy Hash: 4b8ebef83ca2cc599a9b6ee3d704b36d2b4c587447c60c189511c98a26a945de
Instruction Fuzzy Hash: 25D1C334E00218CFDB58EFB4D85469DBBB2FF8A301F1081A9D50AAB254DB31998ADF11

Function 0294AE30 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0294B086

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 22ac302ccfb78eecba08ddadd84a5e7e103d48423597bb9dd2ae35c3b2861c78
Instruction ID: 5cd6edcb831455fbfeec960ff54376e1e20a4046ffa7516b6dc73fe59b6dbd2a
Opcode Fuzzy Hash: 22ac302ccfb78eecba08ddadd84a5e7e103d48423597bb9dd2ae35c3b2861c78
Instruction Fuzzy Hash: 927124B1A00B059FE724DF2AD154B5ABBF5FF88304F008A2DE49AD7A40DB75E845CB91

Function 02944248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029459F1

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0e323780cb7fb89bbe8cc259cd5aa4353c7220bbf0e97f48441922a6267170cd
Instruction ID: c4778639c36d89a4d723b10d476a01f7d074c2ac7d365eec14d9de43ee64537c
Opcode Fuzzy Hash: 0e323780cb7fb89bbe8cc259cd5aa4353c7220bbf0e97f48441922a6267170cd
Instruction Fuzzy Hash: 8241CEB0C00719CBEB24CFA9C884B9EBBB5FF49704F60806AD408AB251DB756949CF90

Function 02945935 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 029459F1

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 4dca50748366e49d726fa40d91760ec3520c793a97891c24b3e7607bc98bab04
Instruction ID: 09e150c823810cf0cebc01e120e12de732a8a6b686b86db254cd7158af29fb21
Opcode Fuzzy Hash: 4dca50748366e49d726fa40d91760ec3520c793a97891c24b3e7607bc98bab04
Instruction Fuzzy Hash: AD41DFB0C00719CFEB24CFA9C884B9EBBB5FF89704F60806AD408AB250DB756949CF50

Function 0294C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0294D2C6,?,?,?,?,?), ref: 0294D387

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: a2e38ac4a19f3dbf3786ed72066a489c5a5f2e8f08d2f43b1d338530cda98d39
Instruction ID: 4b9616979f4b8b3f5f8856d611342c6a53481e8b6916f851f6e4f59252b95c83
Opcode Fuzzy Hash: a2e38ac4a19f3dbf3786ed72066a489c5a5f2e8f08d2f43b1d338530cda98d39
Instruction Fuzzy Hash: CA21E4B5900349DFDB10CF9AD984ADEBBF8EB48314F14845AE918A3310D774A954CFA5

Function 0294D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0294D2C6,?,?,?,?,?), ref: 0294D387

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8a99b12d5e1501758c8d82dff75c8a599e664097ac66f3539d97a119aecd6593
Instruction ID: 166a4449774c1f1d21faef58459ab8081d38149107b6f55cce6cd912a6de758b
Opcode Fuzzy Hash: 8a99b12d5e1501758c8d82dff75c8a599e664097ac66f3539d97a119aecd6593
Instruction Fuzzy Hash: 8121E2B6D00249DFDB10CFAAD984ADEBBF4EB48314F14845AE918B3310D378AA54CF65

Function 0294B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0294B086

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8e830c1c3effa2fe00f60dd8c8a478cfbccf591307bb461949928406ac45a745
Instruction ID: 228112afd476957918f8d0fe27a253dbd98c25016c16898f371ff07d3d95a39b
Opcode Fuzzy Hash: 8e830c1c3effa2fe00f60dd8c8a478cfbccf591307bb461949928406ac45a745
Instruction Fuzzy Hash: 1D1110B6C007498FDB20CF9AC444BDEFBF4EB88224F10842AD868B7210D379A545CFA1

Function 065059D8 Relevance: 1.5, Strings: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 06505C29

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 3844e9543e3f9f2a3bf80d346c0f5177f567fe921ec00b72476dd05795ffcd02
Instruction ID: 5c890a161101b65e87bdc6db0f610193e4d9742e48add3aab8842e88994af97b
Opcode Fuzzy Hash: 3844e9543e3f9f2a3bf80d346c0f5177f567fe921ec00b72476dd05795ffcd02
Instruction Fuzzy Hash: D4C16D35600602CFD725CF18C58096ABBF2FF89314759C999D45A9B6A1EB30FC46CF94

Function 065048B8 Relevance: .6, Instructions: 590
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3562aa9905c27e1cbf2708e02c2bff5dfadcf33df808208338eb3c837c2661f1
Instruction ID: 60e8338264a61af07f43683a697c2f26351c8abd5ad6c8cdad73ef69a5ba86ef
Opcode Fuzzy Hash: 3562aa9905c27e1cbf2708e02c2bff5dfadcf33df808208338eb3c837c2661f1
Instruction Fuzzy Hash: C2324975B00605CFEB54DF29C584A6ABBF6FF88204B1584A9E646CB3A2DB30EC45CB51

Function 065048A8 Relevance: .3, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8af1a557c33517a229ae88ea601d1ecb536bd0d7fc5f7a3b18773474fb871703
Instruction ID: 0dc2a915b4495fa8070643ee60bc6af93c64b30b17d94b8a56e4a6da42cf8960
Opcode Fuzzy Hash: 8af1a557c33517a229ae88ea601d1ecb536bd0d7fc5f7a3b18773474fb871703
Instruction Fuzzy Hash: 0BB12634B00605CFDB54DF29C988A6EBBF6BF88204B1544A8E546DB3A2DB30ED05CB51

Function 06507D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51785058e740d5472259ee196d3c96917a0a23142154a95971d0ef719db6f762
Instruction ID: 6623c26273d15185a2d242ba9c0f4373d239024c9de5904f7b9d4c1252133091
Opcode Fuzzy Hash: 51785058e740d5472259ee196d3c96917a0a23142154a95971d0ef719db6f762
Instruction Fuzzy Hash: EB512571E00219CFEB54CFA9D884BDEBBB5BF88700F148529D415AB284DB75A946CF81

Function 06507D4C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd3b740aeceee0bc213e99f5de77701b610c8295600c9f610367e64b04a91f5
Instruction ID: 71da80309338c66dd4409783fcee8109a4183a1006a5f3e07990ea75e2d1388c
Opcode Fuzzy Hash: 7dd3b740aeceee0bc213e99f5de77701b610c8295600c9f610367e64b04a91f5
Instruction Fuzzy Hash: EC5157B1D01219DFEB64CFA9C885BDEBBF5BF48700F148529E415AB284DB74A845CF81

Function 065059C8 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a35c08b186a9828087834b98494fac7d794c805bef72d466dfc2cd02ba23da
Instruction ID: 90aeb356eb6ad2810e7195f06f10f63edaf9239bf0ef67415e329507b5592d29
Opcode Fuzzy Hash: d1a35c08b186a9828087834b98494fac7d794c805bef72d466dfc2cd02ba23da
Instruction Fuzzy Hash: 89412935A00605CFDB10CF59C9809AAF7F2FF89310B598999E5599B2A1E730F911CF94

Function 06503DE0 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d0481025b04825f0f1c2b766a8729501966d0c9ddba4b4f012b25c19b108f2
Instruction ID: 0e0f6a40c0c831ef6a69da30bd0380ce677217f737ccfafd00519e3edb292e89
Opcode Fuzzy Hash: 15d0481025b04825f0f1c2b766a8729501966d0c9ddba4b4f012b25c19b108f2
Instruction Fuzzy Hash: 4A313476B002118BD729A738E4516AE73E6DFCA320718447ED449CF380DE75EC078B91

Function 065084C8 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948e695742f9b2879e033d5ad3e470df2e6aca691c6dfb7a283eb8f1945865dc
Instruction ID: 99376fc5c3bacc5aa585723d256ad3389fb90914cdd445750fc2aaac2142fd38
Opcode Fuzzy Hash: 948e695742f9b2879e033d5ad3e470df2e6aca691c6dfb7a283eb8f1945865dc
Instruction Fuzzy Hash: BB31AB35B003048FDB09EBB8A46056E77E7EBC92017144579E506DB381EF39EC068BE1

Function 06505579 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424df0389c080ba6564cdfb1fdd3b7d026652cb138570dfb6ddacb3f5bc74cbc
Instruction ID: 62d8b273b1fa14d74d623ab589519bd751f258b4c2f470cd45768452f1b931e4
Opcode Fuzzy Hash: 424df0389c080ba6564cdfb1fdd3b7d026652cb138570dfb6ddacb3f5bc74cbc
Instruction Fuzzy Hash: A2318735B002119FDB05DF35D884AAEBBB2FF89204B508569E906CB3A5DF30ED01CB90

Function 06505588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3699b9716baec08f792077d207a3d02be8c61eaecb720e39bbb18b85016c2d2f
Instruction ID: fa1146b94534d50e73db533a5213b5863482dc0e60ece93d337784da3e86776f
Opcode Fuzzy Hash: 3699b9716baec08f792077d207a3d02be8c61eaecb720e39bbb18b85016c2d2f
Instruction Fuzzy Hash: 01316335B002119FDB15DF35D884AAEBBB6BF89200B408469E906CB3A5DF31ED01CBA0

Function 0650F920 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efebd566638f3770edac0c67a36f66edb2b768341994189270057529bbe7aab
Instruction ID: 1ca63bde87ee64f079414e933d6da89185273a00169eea9f79de14e8b213bff0
Opcode Fuzzy Hash: 1efebd566638f3770edac0c67a36f66edb2b768341994189270057529bbe7aab
Instruction Fuzzy Hash: 7131F7357093506FDB5A6F78D82455E3FBFEB8A11431504ABEA06CB395DD708C05CBA1

Function 065087A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a3bbcedb1d3273381d2aedd0896175507140272c34c90698b61d7dde8c427e
Instruction ID: 6e7200149a090a6011e9e989c8a4ecbc4871bf9ad0486e7434e2faeae8934ad2
Opcode Fuzzy Hash: d5a3bbcedb1d3273381d2aedd0896175507140272c34c90698b61d7dde8c427e
Instruction Fuzzy Hash: D841F0B1D01208DFEF14CFAAD944ADEBBB6BF88310F14842AE415B7294DB35A945CF90

Function 06508795 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11abb24eb04f148fc26e7cada3c9f27cc2520c4cde65faf8ed5996349f072524
Instruction ID: 1df65f890069dd8ecd43cfbe4232301eb23b6feac830731a7d804d4233bc1a58
Opcode Fuzzy Hash: 11abb24eb04f148fc26e7cada3c9f27cc2520c4cde65faf8ed5996349f072524
Instruction Fuzzy Hash: 8731F2B1D012489FEB14CFAAD944BDEBBF6AF88300F14842AE415B7294DB359945CF90

Function 06508A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf853fefef364afd2dcf4f4802d90d7b9897b6be1ef6eb40e9708c5ddef52a64
Instruction ID: 4ccaf136c2f239e29ad9dad465af085027386b139a809f661e93c36945e3e509
Opcode Fuzzy Hash: cf853fefef364afd2dcf4f4802d90d7b9897b6be1ef6eb40e9708c5ddef52a64
Instruction Fuzzy Hash: 3531E2B1D01258DFEF14DFA9D894B9EBBF5BF48310F24842AE409B7280DB75A945CB90

Function 028AD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33ed473ff202df5f6f40ab877b62874744a2012ddb14f908c4853e164cd43aa
Instruction ID: 53d55208221699ce6410df6414b3f31d0a4c99a8138520dd143db85dd5610e3c
Opcode Fuzzy Hash: a33ed473ff202df5f6f40ab877b62874744a2012ddb14f908c4853e164cd43aa
Instruction Fuzzy Hash: CC212579500244DFEB05DF10D9D0B2ABF65FB88318F24C569E809CBA56CB36D456CBA2

Function 028AD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629de2f1f8095d49e375f02a79ec6e49177b0a4fa6b5eeae6c4f53cc00b41939
Instruction ID: 5268dc7056b42f14dd5c927d0577ff510c7c1c6311b9ace0ecff36a79db2feab
Opcode Fuzzy Hash: 629de2f1f8095d49e375f02a79ec6e49177b0a4fa6b5eeae6c4f53cc00b41939
Instruction Fuzzy Hash: D221287D500344DFEB08DF10D9C0B16BB65FB84318F24C569D809CB656C73AE456CBA2

Function 028BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634194021.00000000028BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28bd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05f66aaf6af7da1c689239632c65863a85f9ea33b1cfb5355a6ca9e9dc79239b
Instruction ID: 24419c94ef04d8834e130098036e96cf81134bf246fde399d7bbd0f350d90ed8
Opcode Fuzzy Hash: 05f66aaf6af7da1c689239632c65863a85f9ea33b1cfb5355a6ca9e9dc79239b
Instruction Fuzzy Hash: 0521D07D604344EFDB16DF14D9C0B66BB65EF84218F24C5ADD80A8B386C73AD847CA62

Function 06508A8C Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2197a6af38dd332f4547774339e62760e66e0c12e823d2130443f5b6422d50
Instruction ID: 3c668b783577ff78c7376dcf457bbd0e1927516a20f8c0fdd20717d0a0d80fdf
Opcode Fuzzy Hash: ee2197a6af38dd332f4547774339e62760e66e0c12e823d2130443f5b6422d50
Instruction Fuzzy Hash: 4E2128B1D017589FEF24CFA9C895B9EBBF9BF48300F14842AE405B7280DB759945CB90

Function 028BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634194021.00000000028BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28bd000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c81da954bfa0ec7fc027b56e4a36ba2c06125a096fb43356ed790c985f26b35
Instruction ID: 9a78d66a004ce00449471beee6cf21280a924644e67c5e99840e795358f2895e
Opcode Fuzzy Hash: 1c81da954bfa0ec7fc027b56e4a36ba2c06125a096fb43356ed790c985f26b35
Instruction Fuzzy Hash: CC2180795087809FCB02CF14D994B51BF71EF46214F28C5EAD8498F2A7C33A985ACB62

Function 0650BC5D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09198cc1e09b13947dc5fbb71ad81854acbb039634274fd80721131b59c92b3
Instruction ID: f15455611322e56065757cec2a7205da5cb633028a8a271a51bd77eee1bbbb51
Opcode Fuzzy Hash: c09198cc1e09b13947dc5fbb71ad81854acbb039634274fd80721131b59c92b3
Instruction Fuzzy Hash: 571104392002005FDBD5AB38E8648AF3BABEFC6354304481DEA07C7600CD70AD068BB2

Function 0650A84E Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85cc2523e04de3dd5d5052113dd8fd2d700112a868c65c1133465f87100c821
Instruction ID: 72ef8fcb350f6c797e5687b2bbef808864d21067e6ab90892cf367a54e892dc5
Opcode Fuzzy Hash: d85cc2523e04de3dd5d5052113dd8fd2d700112a868c65c1133465f87100c821
Instruction Fuzzy Hash: 7B112E7190D3D48FEB168B648814298BFB1FF07251F0501EBD08ADB293D73D894ACB22

Function 06508C58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d287bf1c664a9c0bf60025b9f0a02791e440afa870ff939124cc25d66925f6d
Instruction ID: c7167a6496161fb1b8b86ffc89c43b999d8c56edb3ecff108bc557fb5353e2be
Opcode Fuzzy Hash: 7d287bf1c664a9c0bf60025b9f0a02791e440afa870ff939124cc25d66925f6d
Instruction Fuzzy Hash: 2221D075E012189FDF48CFA9E888ADDBBB1BB89301F10912AE805B3390EB345905CF54

Function 028AD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction ID: 8e0a7e45038bcf93accf7c550a7e91539eda3eceec0ccca5e9032f300b3718e3
Opcode Fuzzy Hash: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction Fuzzy Hash: 2311D37A504280DFDB15CF10D9C4B56BF71FB84324F28C6A9D8098BA56C33AE456CBA1

Function 028AD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction ID: 6dfc49da317db56d6c8af046d4e563983f957f7237c0cc5ccd0c4d9e0ae87add
Opcode Fuzzy Hash: 0c18b29bf45e1f8211f0d9b8393173274bc5291f3679a0d43233693b02d382c4
Instruction Fuzzy Hash: 6611E67A504280CFDF15CF10D9C4B56BF71FB84318F28C6A9D8498BA56C336D456CBA1

Function 06508350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4777534b89b0dc64627706829792b752d8d43d5b95518443dfc7c905fc0ff6b
Instruction ID: a77da27cef72b23064ea84a883192080443c26f3071b326a4b7ab04296873111
Opcode Fuzzy Hash: a4777534b89b0dc64627706829792b752d8d43d5b95518443dfc7c905fc0ff6b
Instruction Fuzzy Hash: C5017131B002199BDF10DEA9EC44AAFB7FAFBC8251B14803AE605D7280DB30991587A1

Function 0650C499 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c489fe5f075af592e01a816b9ccdd9a0a5ca457dc3b01b5c2122b4706f05196
Instruction ID: 8fbc4e49ad75ba5f70a2309d2dcbaaaff97921b61f50edcba62db937f0df745e
Opcode Fuzzy Hash: 8c489fe5f075af592e01a816b9ccdd9a0a5ca457dc3b01b5c2122b4706f05196
Instruction Fuzzy Hash: 5A01C0342057058FE325AF74E41866F7BE7EFCA315B108A6AD54A87640CF749D0ACBA2

Function 0650BC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98bcf8013664571e6b048537ab455e0b2cbfd5b2c7ab247a37a235ccf2d8f750
Instruction ID: 4862d85d415c0aa2e000eea7bafe24b7f2116a6b8d59aaaae10f80fd09455351
Opcode Fuzzy Hash: 98bcf8013664571e6b048537ab455e0b2cbfd5b2c7ab247a37a235ccf2d8f750
Instruction Fuzzy Hash: DC018F392002055FDBC4AB78E46452E77ABEFC9354754582CDA07CB640DEB0BD4A8BA2

Function 0650E8B0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8224bb2addffc129b1b4a88aa1a136c5d15b64614ba2bf3bf6e124a74114cba9
Instruction ID: 402cb8fca9ea766aaad4371ed828bb1ddf8ea1c5538ff0c1bb709e045bafabd4
Opcode Fuzzy Hash: 8224bb2addffc129b1b4a88aa1a136c5d15b64614ba2bf3bf6e124a74114cba9
Instruction Fuzzy Hash: 1701F934619304AFCB01EF74D81499A3FBFEF8620071444EAE905CB262DB32DD11C7A1

Function 0650C4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 066215c7fc418b30d667b33766e8a52375d7594a52b70c75affccd96c213c610
Instruction ID: 31a92c24e4e9c63a873cfc8c393a48fa11499438fe5457c6d919d1dae4267c47
Opcode Fuzzy Hash: 066215c7fc418b30d667b33766e8a52375d7594a52b70c75affccd96c213c610
Instruction Fuzzy Hash: 060188342006058BE324AF65E01865AB7E7EFC9315B108A29D54A87A44CF74AC0A8BA2

Function 06505508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a89b53b387625a67b564e14b817b293e938c1d2dee316651f91932fb503cf389
Instruction ID: dab9b14ee3fb0f6642919ffe66443ab8631ce42a14b01d298e50de5ffe2f0a23
Opcode Fuzzy Hash: a89b53b387625a67b564e14b817b293e938c1d2dee316651f91932fb503cf389
Instruction Fuzzy Hash: 5E01A938A11701CFEBB59A35E60462777F7FF84209714883CD54686594FE71E484CF90

Function 06506E90 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72a6752765d32e174d3cde9171e74bf42d4ec6dd31d46ee9ca0855b7bbe60766
Instruction ID: de17cd5b3f7917bd3b5ceeccb0b9d0704d293b0ccecff624b280cb67d3f7301a
Opcode Fuzzy Hash: 72a6752765d32e174d3cde9171e74bf42d4ec6dd31d46ee9ca0855b7bbe60766
Instruction Fuzzy Hash: DFF0B4672041D83FDB514EAA9C11EFF3FEDDB8E161B084056FBD8C1241C829C921ABB0

Function 06508F42 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f412d1229487829bc2befcfd45fd72588d9f0784372e3a5fcca6f5b12dc44b
Instruction ID: 4ecb5607e6a6db94b17703b2d6783d5b6c2502ab09731c44008d2d6934c7344e
Opcode Fuzzy Hash: c5f412d1229487829bc2befcfd45fd72588d9f0784372e3a5fcca6f5b12dc44b
Instruction Fuzzy Hash: 0B0116B4D04209EFEF44DFA8D946BAEBBB4FB08301F1045A9E815A3380E7744A41CF90

Function 0650B358 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc3f63c07f3e532aea405aa1536db9e99d175135981be46731c5819cf63d2678
Instruction ID: 5dbe4f28ba66128d98ba7a3c4a7ee1835335d2327da8c99e149311e6268e7564
Opcode Fuzzy Hash: fc3f63c07f3e532aea405aa1536db9e99d175135981be46731c5819cf63d2678
Instruction Fuzzy Hash: 0501F234909386EFCB05EFB8D5A449CBFB7FF4620472406D9D852AB292CF301A45DB62

Function 0650C170 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5ca07b9af2ce9a4b0394e2110c7119c7f7a0fe09cd3cd772c6ef79a65c807b
Instruction ID: 4345cea84413e05092117904628d5bf157483d72cf2543ce5b65acbaa67e712d
Opcode Fuzzy Hash: 5c5ca07b9af2ce9a4b0394e2110c7119c7f7a0fe09cd3cd772c6ef79a65c807b
Instruction Fuzzy Hash: 4801D6311017019FD315EF25E808466BFFFFB49301700861AE84683A10CB30A54ACFE4

Function 06508F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a001f520ddc652d3ba476a421fa2c086762eda3654715e80089d4c807f2d9b06
Instruction ID: 3f5f5add4f37b04fdbe48f28109327a8cd6a133b1b10c36e4bab70e7b84b08ea
Opcode Fuzzy Hash: a001f520ddc652d3ba476a421fa2c086762eda3654715e80089d4c807f2d9b06
Instruction Fuzzy Hash: 1F01D2B4D0420AEFDF44DFA9D945AAEFBF5BB49301F1085AAE915A3380E7744A41CF90

Function 0650ADE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c707e5c68a799ff52d3dbe521d3cde9606865a61869052d29ed3f5be7570c72a
Instruction ID: db1c4694cd5b0bb1c6eafff7dac7c7d16c75b2ec97490c44ab3022844df797fe
Opcode Fuzzy Hash: c707e5c68a799ff52d3dbe521d3cde9606865a61869052d29ed3f5be7570c72a
Instruction Fuzzy Hash: EAF02E352052406FCB542B79A8946CFBFDBEFCE214B00445DE20EC3142CD70584587B6

Function 028AD5F3 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0307d3a85494643ebff0f0ac8f1c6de0979820eb41afcc01abc83141c20088
Instruction ID: f1d09d928792f75465d11980f1008f1f2913010a9fbc3b90cc952e82e4ff6ce5
Opcode Fuzzy Hash: 7b0307d3a85494643ebff0f0ac8f1c6de0979820eb41afcc01abc83141c20088
Instruction Fuzzy Hash: 90F0F97A200640AF97208F0AD984C27FBA9EBD4675719C55AE84A9B612C671EC41CBA0

Function 06503EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e82bc509ee2de91ae4abd2f7702c08a416c95715057f4c239931f1f2363d004
Instruction ID: b6a0e9c3b592eebc72094f3fb3bad711d46a7d3918c6b6f537e27d78b740558d
Opcode Fuzzy Hash: 4e82bc509ee2de91ae4abd2f7702c08a416c95715057f4c239931f1f2363d004
Instruction Fuzzy Hash: D8F090353002014FC258E769E86196F73D79BCA610314892DD44A8B740EF70FD0687A2

Function 0650ACB8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a81195e8d6d1656d65a236bef198022959bb2445b8a95c680bda7245f24ee4
Instruction ID: 99866e46f358a3b02a0803c1a0dd0b96498e63e197e623361c5bbdec9feecbdf
Opcode Fuzzy Hash: 66a81195e8d6d1656d65a236bef198022959bb2445b8a95c680bda7245f24ee4
Instruction Fuzzy Hash: FEF09E733082A45FCB2B17746C240EE3FAAE9C62A130500DFE186CB152CE508906C3E2

Function 06506EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594e36e63ba4f6f3b65ceb1bbe3f60f653cbbfceb63ac873a4369275ee3a0101
Instruction ID: 7617b6a36b937734e086181736d024ec9e7c16ab173f7dfeb44273a6bf216c1a
Opcode Fuzzy Hash: 594e36e63ba4f6f3b65ceb1bbe3f60f653cbbfceb63ac873a4369275ee3a0101
Instruction Fuzzy Hash: 33F012662041E83F8B518EAA5C11CFB7FEDDA8E1617084156FFD8D2141C929C921ABB0

Function 028AD5E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634154543.00000000028AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_28ad000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 634f39a2a531c3e9a6ec4bdadd5715d880deb418b41f8b837644ddbf2cabe4d1
Instruction ID: 52f5ecf75be2b34539ed983a3724d1703fe391e506e2a8c5712853a43482693a
Opcode Fuzzy Hash: 634f39a2a531c3e9a6ec4bdadd5715d880deb418b41f8b837644ddbf2cabe4d1
Instruction Fuzzy Hash: 78F04F79104680AFD725CF05CD94C23BFB9EFC66647198489E88A9B753C671FC42CBA0

Function 065067C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc75ce9d2a81c9e06b08892a5190098446e6102240349b3c8c02140ab752509
Instruction ID: 93d4000af24522bc6121c790f0365cceb221ce5f70aec93e1f51e6d730d3bbc7
Opcode Fuzzy Hash: 8dc75ce9d2a81c9e06b08892a5190098446e6102240349b3c8c02140ab752509
Instruction Fuzzy Hash: 22F02E31B00300ABE7209A28EC01F627FE4AF82724F158266F610CF1E2DAB1E804DB80

Function 06508FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c0810e3e066f7ab77b5d1e6ed6b455a21e5f5b69047660a9453a6737e8e724
Instruction ID: e770121a6f646ae09ee38620755cbadcc97919f152885397543bd917bd461fcf
Opcode Fuzzy Hash: 96c0810e3e066f7ab77b5d1e6ed6b455a21e5f5b69047660a9453a6737e8e724
Instruction Fuzzy Hash: DBF0C2B0C08259DFEF00CFB0C8159AEBFB0FB56201F0041C6E446E7391E6388A41CB40

Function 06508341 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e31e9e91589305a4959257c0323f74e0f41a6ac37bb8a5f61503b3e94173af8
Instruction ID: 8f806dd62bc080933a1e29b0abc7729e74cd0bcb7176ba177be6cb6efa534b6a
Opcode Fuzzy Hash: 9e31e9e91589305a4959257c0323f74e0f41a6ac37bb8a5f61503b3e94173af8
Instruction Fuzzy Hash: 3AF03772F102155B9F509969AC449BF7BF9EBD9261B080036D914D3181F734D91587A1

Function 0650B368 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6ee3463ec66425a1b58bd5e72ad0b39af84142a8078e9789e700f1440b3b747
Instruction ID: 8dda82e7cf4ee6b102f7d970a19be5aa65e5792a289fcd9eec99bcaa51c1ffb8
Opcode Fuzzy Hash: c6ee3463ec66425a1b58bd5e72ad0b39af84142a8078e9789e700f1440b3b747
Instruction Fuzzy Hash: EBF01474E0120AEFCB44EFB9E59955CBBB6FB49204B2046A9C906A7250EB305A44DB61

Function 065054F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be68abfdd819f8e7dc8de197153a30a28de9d0ada9e9a85b1fd9135b4e0df6a5
Instruction ID: 0400686e26d216b4faf01eed22feeaac0ff8b5d6c80f2f7957da6dc8980e7d73
Opcode Fuzzy Hash: be68abfdd819f8e7dc8de197153a30a28de9d0ada9e9a85b1fd9135b4e0df6a5
Instruction Fuzzy Hash: F2F0B4399007428FEBA5CA61DA0177BBBB2BF80215F48896DD04246995EBB5E545CF80

Function 0650AC60 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf384bab73739a05cbacb3b9b7984fd3841a2faaec873e7e87f2a306237e45d
Instruction ID: 5c0f55b8398a47eccd642371f00f39229e3a0328b3d93e3054be0d00929c6bfe
Opcode Fuzzy Hash: cbf384bab73739a05cbacb3b9b7984fd3841a2faaec873e7e87f2a306237e45d
Instruction Fuzzy Hash: B6F0A7362082E45FCB1B2778AC344DE3F6ADAC626570500DBD545CB152CE550909C7EA

Function 0650C110 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1c50171abb351c8327eaab6a791880258685dde14b8e7af7a687362b223a6b
Instruction ID: d420e1b7d20fd5608213accdc25bc2215633e75f10c88f84e3c5f7f6e1a4eecb
Opcode Fuzzy Hash: 2d1c50171abb351c8327eaab6a791880258685dde14b8e7af7a687362b223a6b
Instruction Fuzzy Hash: 5BF050302057D14FC713DB34E51479E7FFB9F82204B04059EE186CB652CA745D05C7A2

Function 0650ADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eceafc24f4791209dc38f7db6969c32cf927467bfd631871930c1b641eca90c
Instruction ID: ce2acc34ab509b07ae2a35c136bafddfc007adffd179e2984d5a1737fc5e7f2c
Opcode Fuzzy Hash: 4eceafc24f4791209dc38f7db6969c32cf927467bfd631871930c1b641eca90c
Instruction Fuzzy Hash: 86E0D835300100ABDB582F6AE498A9F7BDFEBCD351B00442CE20EC3241CEB15C0547B6

Function 0650C180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e81eab74371c566c216edfa00c58057e074147043ab5fff575c3a20c1da5b1
Instruction ID: 9acdebc6edab00b68c2a7c1c4a920e40bb3e5bf6fbfd5e0b1c54674836873eaf
Opcode Fuzzy Hash: 66e81eab74371c566c216edfa00c58057e074147043ab5fff575c3a20c1da5b1
Instruction Fuzzy Hash: CFF06D34500B019FD719EF26E548516BBFBFB88305700862AE84B83A10DB70A50ACF94

Function 0650C120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a71a198b7684e71b351ba40f4f77fdb7998b352f5523aa10e06fc6a454a9d897
Instruction ID: 5e0627892f82a743a59242cba56348f92088e6f18bae69c05fb196f83dff436b
Opcode Fuzzy Hash: a71a198b7684e71b351ba40f4f77fdb7998b352f5523aa10e06fc6a454a9d897
Instruction Fuzzy Hash: C5E065302007555FC755AB29E5187AFBBEBDF86314F04052DE647C7641CFB1AC058BA2

Function 0650CC38 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6fbb19e6ca93be8caf8bdddd405cf49aab8c6c9c077b2277603c42e43af536
Instruction ID: b797aa0c33a2f82239cb33c5d35723a51362bbc3daad6b01e3662093155de758
Opcode Fuzzy Hash: cf6fbb19e6ca93be8caf8bdddd405cf49aab8c6c9c077b2277603c42e43af536
Instruction Fuzzy Hash: 6DE04F356062909FC762EA25FD14AEB3B76EB97618B025356E00097A46CA300946CBF2

Function 06505698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41b1341fceeb5e86bead459991db9bbfeb6b5c8b0226f4604d7b3489c65f0d07
Instruction ID: 80c97a44e4d26de13f931b28bd2daa2c718db7c964f500281952f6f40f56e0b4
Opcode Fuzzy Hash: 41b1341fceeb5e86bead459991db9bbfeb6b5c8b0226f4604d7b3489c65f0d07
Instruction Fuzzy Hash: 19E0D8B210C3119FD344DB60E8048967BE4EF95320F058C7EE480C7181FB76D841CBA9

Function 0650CE88 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5116fd78445e5edb049741cf225214ef0ce07faecad4d5bc8da9485c0f3ce9d4
Instruction ID: ce9299d1445140a9d7f4a8c690528796778da9ccbb4c9583091a85eaac13f04b
Opcode Fuzzy Hash: 5116fd78445e5edb049741cf225214ef0ce07faecad4d5bc8da9485c0f3ce9d4
Instruction Fuzzy Hash: 22E0D878405381AFC742EB34E5518AA3B7AEA5721430712CADC80DB645C6209D00C796

Function 0650B500 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4c5b0e3c353abde6a3f7aca8b4243a5ee3170750926a343fe5de90702f33ba
Instruction ID: a73d23d6837ed50daf71818e64579353dbf1c878e327f325f3f9bc0ca2635f28
Opcode Fuzzy Hash: 0f4c5b0e3c353abde6a3f7aca8b4243a5ee3170750926a343fe5de90702f33ba
Instruction Fuzzy Hash: 68F03935C0424AEBCB05CFB4DA488CDFF7AEB42244F20429AE96196191DA321B46DB90

Function 0650E280 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e900cbb823149c4c306c78e247c851bac8584488b22f3df37bb8ff33f1c16c
Instruction ID: 456586046b24f3fecedd63f6cb3cd96d0ba582d4fd0bf5982679b9ec50acbb74
Opcode Fuzzy Hash: b1e900cbb823149c4c306c78e247c851bac8584488b22f3df37bb8ff33f1c16c
Instruction Fuzzy Hash: BDE0D8345057015FDB51FB10FF125A53775B75A708B021545DC0057A95CB705D49CBE2

Function 0650E1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c20a276efd3d35ca5b7c248ff6586f696431ffaef15933e2c007b795ee0c5b6
Instruction ID: ceec1f33c87dc7792c4312f8240886d984066a793025859cd7bcc583ca8498ce
Opcode Fuzzy Hash: 1c20a276efd3d35ca5b7c248ff6586f696431ffaef15933e2c007b795ee0c5b6
Instruction Fuzzy Hash: EBE0DF71A09248EFCB41DFA4E9109AE3BB69B82204F2041DBD809E7350D6304F258B62

Function 0650E8F8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b972335a8fd0b1598cc067e50d3efd31d0a0a8f05989e84c0c2281fb1cd6017
Instruction ID: 34fd18890b6c5981b5b52481c1fd5ceb93266267b53c3b3b6ed316a091738c32
Opcode Fuzzy Hash: 0b972335a8fd0b1598cc067e50d3efd31d0a0a8f05989e84c0c2281fb1cd6017
Instruction Fuzzy Hash: 68E0173E226254AFC702AB69DC40CD63F79EF4A62030840C6F6458F273C621A925DBB1

Function 0650F910 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7800e571f650a17d4df084cee037267a1013966f19353aa2cd8e82da3f826db7
Instruction ID: 1129a81e95392fd98bc134982f41469bd465aca5ab713537b24daef550f4e23f
Opcode Fuzzy Hash: 7800e571f650a17d4df084cee037267a1013966f19353aa2cd8e82da3f826db7
Instruction Fuzzy Hash: D9D02B357053246F8B1A167858240F73BAFABCA51032580A7F505DB146CD654C0F83E1

Function 0650AC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbae6d4b4c318c95f98026091e2f3aae84e91d7e3af21084eb432a41cbad768d
Instruction ID: e61a1bebeec383aa4f529bfe64d1d041c3ed7f494a0cbeacffba0eaf31790c67
Opcode Fuzzy Hash: bbae6d4b4c318c95f98026091e2f3aae84e91d7e3af21084eb432a41cbad768d
Instruction Fuzzy Hash: 10D05E36300129978E1D27B9F4184AE77ABEAC9762301006EE70BCB240CFA55D0A97DA

Function 0650B510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76dd506c84c462d8cf45333d7926fac60d32d58f9f356be797e3f86ebff03d7
Instruction ID: 4cb43acfdbc7e44cf1b3808c8d363b6d2ed73a0a94ae723b052f0abec8bd513a
Opcode Fuzzy Hash: a76dd506c84c462d8cf45333d7926fac60d32d58f9f356be797e3f86ebff03d7
Instruction Fuzzy Hash: 08E09275D0020DEFCB40DFE5E9448DDFBBAEB48200F2082AAD909A3200EB306B55DF90

Function 0650E210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69c98abeeffd52a205fe57aa7360bbe9e886efa6a9092c1f89c7bb998aa5866d
Instruction ID: 47ae9c34d6f09d7b61fb568ee6fbc18327ca97e1b48676364f9642af00eacbc1
Opcode Fuzzy Hash: 69c98abeeffd52a205fe57aa7360bbe9e886efa6a9092c1f89c7bb998aa5866d
Instruction Fuzzy Hash: AED05B71E0020CFFCB40DFA8E91155D77BADB45204B1041D9D909E3700DA315F109B91

Function 0650F8EA Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68920a99b455db1b6a6512fc4ebc82770b96ebfb44a1b5310569b937858a8e7b
Instruction ID: 76cb26fed61dcee4d17a6d67400494da6886c4f81682e53ddd69e9a0ac99d748
Opcode Fuzzy Hash: 68920a99b455db1b6a6512fc4ebc82770b96ebfb44a1b5310569b937858a8e7b
Instruction Fuzzy Hash: ADC012367400100B0AC56A5C701006D66DB83C86A3385006ADA0FC3344CD614C464B91

Function 06503721 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c7ea395d5f214638352c3ff0cfc9d7207ade0d17682424ad801db513ecd292
Instruction ID: e0277401f48b8dffbbb07fff939fd115e06c29e37ff428440c59003f52ed519f
Opcode Fuzzy Hash: 18c7ea395d5f214638352c3ff0cfc9d7207ade0d17682424ad801db513ecd292
Instruction Fuzzy Hash: B7B092326601021BF7507261AC0BFD2389193E07A5F195020B752A528ADEDAD04086A9

Non-executed Functions

Function 06506FE8 Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89e2ddf5dc8d6a92ec64cd2219667bdfe1b4abe151dba3052fc1a5b3cb32b06
Instruction ID: 5aeb03d76b723adadf23c8ef0bc4b0e7f0c75310eb8d9016ad1f55b1dacdcb4d
Opcode Fuzzy Hash: c89e2ddf5dc8d6a92ec64cd2219667bdfe1b4abe151dba3052fc1a5b3cb32b06
Instruction Fuzzy Hash: 48621FB46003009BE789DF18D45871A7BE6EB88308F65C49DC10A9F396DFB6D90B8F95

Function 06506FF8 Relevance: .8, Instructions: 780COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8ce7334e574c10efcd41e955357664d6b1c6ede294f40ca3ec943945954bde9
Instruction ID: 66587163a69400d57129b206574248791196560bb26363ff1cc498f32a9175ad
Opcode Fuzzy Hash: f8ce7334e574c10efcd41e955357664d6b1c6ede294f40ca3ec943945954bde9
Instruction Fuzzy Hash: A1621FB46003009BE789DF18D45871A7BE6EB88308F65C49DC10A9F396DFB6D90B8F95

Function 0294DC74 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2634350159.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2940000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6794c35a51440d36c50fc38835191a327e733e40aab0199bda813c5b7edbbfa9
Instruction ID: d07ac80ba155394b94783b899134bbeefb484864cd8bad35312b79323d2fe80f
Opcode Fuzzy Hash: 6794c35a51440d36c50fc38835191a327e733e40aab0199bda813c5b7edbbfa9
Instruction Fuzzy Hash: DBA19D36E0020A8FCF05DFB4C84499EB7B6FF84304B15856AE905AB265DF75EA06CF90

Function 0650E2C7 Relevance: 46.6, Strings: 37, Instructions: 387COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650E4F3
DTj, xrefs: 0650E51B
DTj, xrefs: 0650E4A3
DTj, xrefs: 0650E56B
DTj, xrefs: 0650E309
DTj, xrefs: 0650E6F8
DTj, xrefs: 0650E748
DTj, xrefs: 0650E680
DTj, xrefs: 0650E543
DTj, xrefs: 0650E7EE
DTj, xrefs: 0650E819
DTj, xrefs: 0650E456
DTj, xrefs: 0650E630
DTj, xrefs: 0650E7C3
DTj, xrefs: 0650E720
DTj, xrefs: 0650E593
DTj, xrefs: 0650E2E4
DTj, xrefs: 0650E6D0
DTj, xrefs: 0650E844
DTj, xrefs: 0650E5E3
DTj, xrefs: 0650E5BB
DTj, xrefs: 0650E770
DTj, xrefs: 0650E3E7
DTj, xrefs: 0650E86F
DTj, xrefs: 0650E4CB
DTj, xrefs: 0650E431
DTj, xrefs: 0650E658
DTj, xrefs: 0650E6A8
DTj, xrefs: 0650E798
DTj, xrefs: 0650E378
DTj, xrefs: 0650E3C2
DTj, xrefs: 0650E40C
DTj, xrefs: 0650E608
DTj, xrefs: 0650E32E
DTj, xrefs: 0650E353
DTj, xrefs: 0650E39D
DTj, xrefs: 0650E47B

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-3050091760
Opcode ID: bb42b7a2f1472ea788511921f0ee2de9ed68f03eef006c3e6c12c66a286e751c
Instruction ID: 133213786c10ea3d010b125be368cd0ca1acb27385156b6de738ca21a5232b5c
Opcode Fuzzy Hash: bb42b7a2f1472ea788511921f0ee2de9ed68f03eef006c3e6c12c66a286e751c
Instruction Fuzzy Hash: 50D1BF34700701ABE206F6A5DCA2AADB797FBCA304B444438C6084FB95EF727D295797

Function 0650E2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650E4F3
DTj, xrefs: 0650E51B
DTj, xrefs: 0650E4A3
DTj, xrefs: 0650E56B
DTj, xrefs: 0650E309
DTj, xrefs: 0650E6F8
DTj, xrefs: 0650E748
DTj, xrefs: 0650E680
DTj, xrefs: 0650E543
DTj, xrefs: 0650E7EE
DTj, xrefs: 0650E819
DTj, xrefs: 0650E456
DTj, xrefs: 0650E630
DTj, xrefs: 0650E7C3
DTj, xrefs: 0650E720
DTj, xrefs: 0650E593
DTj, xrefs: 0650E2E4
DTj, xrefs: 0650E6D0
DTj, xrefs: 0650E844
DTj, xrefs: 0650E5E3
DTj, xrefs: 0650E5BB
DTj, xrefs: 0650E770
DTj, xrefs: 0650E3E7
DTj, xrefs: 0650E86F
DTj, xrefs: 0650E4CB
DTj, xrefs: 0650E431
DTj, xrefs: 0650E658
DTj, xrefs: 0650E6A8
DTj, xrefs: 0650E798
DTj, xrefs: 0650E378
DTj, xrefs: 0650E3C2
DTj, xrefs: 0650E40C
DTj, xrefs: 0650E608
DTj, xrefs: 0650E32E
DTj, xrefs: 0650E353
DTj, xrefs: 0650E39D
DTj, xrefs: 0650E47B

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-3050091760
Opcode ID: 8d731dc43968e8ce2e5b153ced4f9586e3697e437350e43b4c6aea2bcb7c1eb9
Instruction ID: d43c8314f257fa3c6fb78eb0ad91b96611acc7378f22914c9f3ac7f0dce46cd3
Opcode Fuzzy Hash: 8d731dc43968e8ce2e5b153ced4f9586e3697e437350e43b4c6aea2bcb7c1eb9
Instruction Fuzzy Hash: 70D1A034300701ABE206F6A5DC61AADB397FBCA304B854438D6044F795EF727C195797

Function 0650CC7F Relevance: 16.4, Strings: 13, Instructions: 147COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650CE58
DTj, xrefs: 0650CCE6
DTj, xrefs: 0650CDE9
DTj, xrefs: 0650CE0E
DTj, xrefs: 0650CE33
DTj, xrefs: 0650CD7A
DTj, xrefs: 0650CDC4
DTj, xrefs: 0650CD30
DTj, xrefs: 0650CC9C
DTj, xrefs: 0650CD0B
DTj, xrefs: 0650CCC1
DTj, xrefs: 0650CD55
DTj, xrefs: 0650CD9F

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1192847946
Opcode ID: 63bdeb694d09a334aaf79b760d65a9836d5c2519b3396d13c1afdbeeb8b70e64
Instruction ID: 3c05962ae2c19f6f78d731a4dc802b00595a52abc9a5b9fa5702add20c14cf2f
Opcode Fuzzy Hash: 63bdeb694d09a334aaf79b760d65a9836d5c2519b3396d13c1afdbeeb8b70e64
Instruction Fuzzy Hash: 5641C034300700ABE306FAA5D856A6EB797FBCA304B444938D6188FB85CF766D194797

Function 0650CC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650CE58
DTj, xrefs: 0650CCE6
DTj, xrefs: 0650CDE9
DTj, xrefs: 0650CE0E
DTj, xrefs: 0650CE33
DTj, xrefs: 0650CD7A
DTj, xrefs: 0650CDC4
DTj, xrefs: 0650CD30
DTj, xrefs: 0650CC9C
DTj, xrefs: 0650CD0B
DTj, xrefs: 0650CCC1
DTj, xrefs: 0650CD55
DTj, xrefs: 0650CD9F

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1192847946
Opcode ID: 95ad22b60de88f716ffc021b4156dcebc0a50af491d421980bc903e2989756c2
Instruction ID: ea73afb1a590e4d06be52262a30134352be935f9901ee1c3b2b5fae51f2e9c6f
Opcode Fuzzy Hash: 95ad22b60de88f716ffc021b4156dcebc0a50af491d421980bc903e2989756c2
Instruction Fuzzy Hash: CC41C034300700ABE206FAA5D852A6EB797FBCA304B844938D7188FB85CF76BD154797

Function 0650CED1 Relevance: 10.1, Strings: 8, Instructions: 100COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650CF36
DTj, xrefs: 0650CEEC
DTj, xrefs: 0650CFCA
DTj, xrefs: 0650CFA5
DTj, xrefs: 0650CF80
DTj, xrefs: 0650CF11
DTj, xrefs: 0650CF5B
DTj, xrefs: 0650CFEF

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-2670367415
Opcode ID: bb35d66016d17ecb8b59238e03b6e777238814e9b80036463a792c1b3f473c0b
Instruction ID: b72a5dd2f77cd2cfb54a75704f4119db4e6792bac12ac1daf055f33206e5aa33
Opcode Fuzzy Hash: bb35d66016d17ecb8b59238e03b6e777238814e9b80036463a792c1b3f473c0b
Instruction Fuzzy Hash: 3B31E234700311ABE706FAA8D851AAEB79BFBCA304B444838D6088FB85CF767D154797

Function 0650CEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650CF36
DTj, xrefs: 0650CEEC
DTj, xrefs: 0650CFCA
DTj, xrefs: 0650CFA5
DTj, xrefs: 0650CF80
DTj, xrefs: 0650CF11
DTj, xrefs: 0650CF5B
DTj, xrefs: 0650CFEF

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-2670367415
Opcode ID: fb7288534fd09d5a6ef0fa2ca0da16f251bc5626df039e8ff5f50ca347af9712
Instruction ID: cd0471cece28140e553f62d5efc6b5aa17f43f1095b40019ca05afd1ffc1e56f
Opcode Fuzzy Hash: fb7288534fd09d5a6ef0fa2ca0da16f251bc5626df039e8ff5f50ca347af9712
Instruction Fuzzy Hash: 8121D034700311ABE706FAA9D851A6EB797FBCA308B844438D6188FB85CFB67C154797

Function 0650C968 Relevance: 8.8, Strings: 7, Instructions: 88COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650C9AD
DTj, xrefs: 0650CA51
DTj, xrefs: 0650CA28
DTj, xrefs: 0650C9FF
DTj, xrefs: 0650CA7A
DTj, xrefs: 0650C9D6
DTj, xrefs: 0650C984

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1309597825
Opcode ID: 76985a0f44f5c55a60a1d028c770f7b37ffc5dee1661bbb93a30b8d92ef2bede
Instruction ID: 9e9f606decd55f6e9a9cdc9e78a8e3d4901446ff5a0a6685d4893cc0eac860aa
Opcode Fuzzy Hash: 76985a0f44f5c55a60a1d028c770f7b37ffc5dee1661bbb93a30b8d92ef2bede
Instruction Fuzzy Hash: FD31C3303003526FEB01BBA5EC559AE77A3FB8A305704456CE619CFA94CF715D8A8B83

Function 0650C978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650C9AD
DTj, xrefs: 0650CA51
DTj, xrefs: 0650CA28
DTj, xrefs: 0650C9FF
DTj, xrefs: 0650CA7A
DTj, xrefs: 0650C9D6
DTj, xrefs: 0650C984

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-1309597825
Opcode ID: 58b156c406331ab2186a83b4e0cef93b99dd225485a4538d0c223b6a209c462f
Instruction ID: 9cadd7dbe90331899c241483caf308ea3b0abe0110a395b050b07a161817585d
Opcode Fuzzy Hash: 58b156c406331ab2186a83b4e0cef93b99dd225485a4538d0c223b6a209c462f
Instruction Fuzzy Hash: 8121B530300352AFEB05BBA5EC5586E77A3FB8A305704457CE619CFA94CE715D8A8B83

Function 0650D538 Relevance: 7.6, Strings: 6, Instructions: 78COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650D579
DTj, xrefs: 0650D59E
DTj, xrefs: 0650D5C3
DTj, xrefs: 0650D5E8
DTj, xrefs: 0650D60D
DTj, xrefs: 0650D554

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-23703227
Opcode ID: 197bae3bbc41e6e0d94fde75b18b2a65542c12e0ad9010f5f12c4648e1434fac
Instruction ID: 291b2c55f1d825eb77986445c24079e16c62ce463360255c2e9aa1efa3198b32
Opcode Fuzzy Hash: 197bae3bbc41e6e0d94fde75b18b2a65542c12e0ad9010f5f12c4648e1434fac
Instruction Fuzzy Hash: D821D434700350ABE306FBA99861A6DB797FBCA708B448538D6148FB85CF726D1947A3

Function 0650D548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

DTj, xrefs: 0650D579
DTj, xrefs: 0650D59E
DTj, xrefs: 0650D5C3
DTj, xrefs: 0650D5E8
DTj, xrefs: 0650D60D
DTj, xrefs: 0650D554

Memory Dump Source

Source File: 00000004.00000002.2636635756.0000000006500000.00000040.00000800.00020000.00000000.sdmp, Offset: 06500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6500000_RegAsm.jbxd

Similarity

API ID:
String ID: DTj$DTj$DTj$DTj$DTj$DTj
API String ID: 0-23703227
Opcode ID: eb10213e9a433d3d56f89cf19ae1a1dccb80e927e81d008ea28f28526c1ea772
Instruction ID: 934e1ad82ea45505d2a2addbae3ecc56400ca2fb7b5384ae408671c4532bf5d8
Opcode Fuzzy Hash: eb10213e9a433d3d56f89cf19ae1a1dccb80e927e81d008ea28f28526c1ea772
Instruction Fuzzy Hash: 7111D530700310ABE202F6A9D851A6EB797FBCA708B408538D6144FB84CF726D154793

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report surfex.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\Public\Desktop\Google Chrome.lnk

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\surfex.exe.log

C:\Users\user\AppData\Local\Temp\Tmp88CB.tmp

C:\Users\user\AppData\Local\Temp\Tmp8949.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
surfex.exe

Function 0266248D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 024A0C90 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 024A04FC Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 024A04E4 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 024A0B41 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 06503F50 Relevance: .5, Instructions: 522
COMMON

Function 065067D8 Relevance: .4, Instructions: 411
COMMON

Function 0650A3D8 Relevance: .3, Instructions: 296
COMMON

Function 0650A3E8 Relevance: .3, Instructions: 289
COMMON

Function 0294AE30 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Function 02944248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 02945935 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Function 0294C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0294D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0294B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 065059D8 Relevance: 1.5, Strings: 1, Instructions: 292
COMMON

Function 065048B8 Relevance: .6, Instructions: 590
COMMON

Function 065048A8 Relevance: .3, Instructions: 277
COMMON