Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Windows Analysis Report EngineOwning.exe

Overview

General Information

Sample Name:EngineOwning.exe
Analysis ID:547406
MD5:b048329a4a46bad452d55722a532c911
SHA1:438f8eb6525d96f08063d22e4028ad8df322c9ac
SHA256:50c5913eb4e35d0676563b4f4dbe9111dfef559c11a8acdb378e7049979c4dca
Tags:exe
Infos:

Most interesting Screenshot:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected RedLine Stealer
Found malware configuration
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Is looking for software installed on the system
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • EngineOwning.exe (PID: 2340 cmdline: "C:\Users\user\Desktop\EngineOwning.exe" MD5: B048329A4A46BAD452D55722A532C911)
    • RegAsm.exe (PID: 6012 cmdline: #cmd MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: RedLine

{
  "C2 url": "95.143.177.66:9006"
}

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000005.00000000.694968676.0000000000412000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000005.00000002.754722189.0000000000412000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000005.00000000.693963090.0000000000412000.00000040.00000001.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              5.0.RegAsm.exe.410000.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                5.0.RegAsm.exe.410000.1.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.EngineOwning.exe.36ea150.1.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    5.0.RegAsm.exe.410000.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      5.0.RegAsm.exe.410000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        • AV Detection
                        • Compliance
                        • Networking
                        • System Summary
                        • Data Obfuscation
                        • Hooking and other Techniques for Hiding and Protection
                        • Malware Analysis System Evasion
                        • Anti Debugging
                        • HIPS / PFW / Operating System Protection Evasion
                        • Language, Device and Operating System Detection
                        • Lowering of HIPS / PFW / Operating System Security Settings
                        • Stealing of Sensitive Information
                        • Remote Access Functionality

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configuration
                        Source: 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmpMalware Configuration Extractor: RedLine {"C2 url": "95.143.177.66:9006"}
                        Multi AV Scanner detection for submitted file
                        Source: EngineOwning.exeVirustotal: Detection: 27%Perma Link
                        Source: EngineOwning.exeMetadefender: Detection: 20%Perma Link
                        Machine Learning detection for sample
                        Source: EngineOwning.exeJoe Sandbox ML: detected
                        Source: EngineOwning.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: EngineOwning.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Joe Sandbox ViewASN Name: RHTEC-ASrh-tecIPBackboneDE RHTEC-ASrh-tecIPBackboneDE
                        Source: global trafficTCP traffic: 192.168.2.4:49765 -> 95.143.177.66:9006
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: unknownTCP traffic detected without corresponding DNS query: 95.143.177.66
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: h9https://www.facebook.com/chat/video/videocalldownload.php equals www.facebook.com (Facebook)
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://appldnld.apple.com/QuickTime/041-3089.20111026.Sxpr4/QuickTimeInstaller.exe
                        Source: EngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, EngineOwning.exe, 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmpString found in binary or memory: http://c9d0e790b353537889bd47a364f5acff43c11f245.xyz/verify.php?id=6_9c62e81794dbd165f64b48a8f80001a
                        Source: EngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, EngineOwning.exe, 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmpString found in binary or memory: http://c9d0e790b353537889bd47a364f5acff43c11f24k.xyz/verify.php?id=6_9c62e81794dbd165f64b48a8f80001a
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://forms.rea
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://go.micros
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultT
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://service.r
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://service.real.com/realplayer/security/02062012_player/en/
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://support.a
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponsehIy
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                        Source: RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4hIy
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                        Source: RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: EngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, EngineOwning.exe, 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://get.adob
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://helpx.ad
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_java
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_pdf
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_quicktime
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_real
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
                        Source: RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: EngineOwning.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CBEF60
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CB4548
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CBA190
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CB7348
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CB5D10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00A4F288
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00A49560
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00A4A578
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00A498A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EA8D20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EAF2E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EAAA28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EACB78
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EA5F70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EAC060
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC0540
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BCD630
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC8020
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BCBD10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC0EF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC78E8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC16B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC56B8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC56F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC56DF
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BC78DB
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BDD7C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BDCEC8
                        Source: EngineOwning.exeBinary or memory string: OriginalFilename vs EngineOwning.exe
                        Source: EngineOwning.exe, 00000000.00000002.695679266.0000000000252000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRvqKAZK.exe0 vs EngineOwning.exe
                        Source: EngineOwning.exe, 00000000.00000002.699652576.0000000002C8E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAbscission.exe4 vs EngineOwning.exe
                        Source: EngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAbscission.exe4 vs EngineOwning.exe
                        Source: EngineOwning.exeBinary or memory string: OriginalFilenameRvqKAZK.exe0 vs EngineOwning.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                        Source: EngineOwning.exeStatic PE information: invalid certificate
                        Source: EngineOwning.exeVirustotal: Detection: 27%
                        Source: EngineOwning.exeMetadefender: Detection: 20%
                        Source: EngineOwning.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\EngineOwning.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: unknownProcess created: C:\Users\user\Desktop\EngineOwning.exe "C:\Users\user\Desktop\EngineOwning.exe"
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #cmd
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #cmd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\EngineOwning.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EngineOwning.exe.logJump to behavior
                        Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/2@0/1
                        Source: C:\Users\user\Desktop\EngineOwning.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                        Source: EngineOwning.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: EngineOwning.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_0025832A push edx; retf
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_04CBCEB8 push FFFFFFC7h; retf
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_051C2732 push eax; retf
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_051C7051 push 1405790Bh; iretd
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_051C2C10 pushfd ; iretd
                        Source: C:\Users\user\Desktop\EngineOwning.exeCode function: 0_2_051C1E12 push esp; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EAFD02 pushad ; iretd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EAFD13 pushad ; iretd
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_04EA2077 push ebx; retf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BD14F7 push E801005Eh; retf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BDF431 push ecx; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BDD79F push 6400005Eh; retf
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BD1103 push E801005Eh; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BDF230 push ecx; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_05BD4E50 pushfd ; ret
                        Source: EngineOwning.exeStatic PE information: 0xE183BFE4 [Tue Nov 22 14:25:40 2089 UTC]
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Source: C:\Users\user\Desktop\EngineOwning.exe TID: 6452Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6748Thread sleep time: -7378697629483816s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5884Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\EngineOwning.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 744
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 932
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
                        Source: RegAsm.exe, 00000005.00000003.701288096.0000000005B64000.00000004.00000001.sdmpBinary or memory string: VMware
                        Source: RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpBinary or memory string: vmware
                        Source: RegAsm.exe, 00000005.00000003.701288096.0000000005B64000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareUL8L44ZNWin32_VideoController1VCFMTUNVideoController120060621000000.000000-00078918587display.infMSBDAG8A53SW7PCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsUS8PY9NCm
                        Source: RegAsm.exe, 00000005.00000002.755190749.000000000080D000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 412000
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 302008
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\EngineOwning.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000 value starts with: 4D5A
                        Source: C:\Users\user\Desktop\EngineOwning.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #cmd
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Users\user\Desktop\EngineOwning.exe VolumeInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Users\user\Desktop\EngineOwning.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\EngineOwning.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                        Source: RegAsm.exe, 00000005.00000002.755190749.000000000080D000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.761598774.0000000005B55000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.761707648.0000000005BAA000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EngineOwning.exe.36ea150.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.RegAsm.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.694968676.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.754722189.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.693963090.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.694643884.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6012, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.EngineOwning.exe.36ea150.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.RegAsm.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.0.RegAsm.exe.410000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.694968676.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.754722189.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.693963090.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000000.694643884.0000000000412000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation231DLL Side-Loading1Process Injection211Masquerading1OS Credential Dumping1Security Software Discovery241Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion241Security Account ManagerVirtualization/Sandbox Evasion241SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection211NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery143SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 547406 Sample: EngineOwning.exe Startdate: 03/01/2022 Architecture: WINDOWS Score: 96 18 Found malware configuration 2->18 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected RedLine Stealer 2->22 24 Machine Learning detection for sample 2->24 6 EngineOwning.exe 3 2->6         started        process3 file4 14 C:\Users\user\...ngineOwning.exe.log, ASCII 6->14 dropped 26 Writes to foreign memory regions 6->26 28 Injects a PE file into a foreign processes 6->28 10 RegAsm.exe 5 6->10         started        signatures5 process6 dnsIp7 16 95.143.177.66, 49765, 9006 RHTEC-ASrh-tecIPBackboneDE Russian Federation 10->16 30 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 10->30 32 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 10->32 34 Tries to harvest and steal browser information (history, passwords, etc) 10->34 signatures8

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        EngineOwning.exe28%VirustotalBrowse
                        EngineOwning.exe20%MetadefenderBrowse
                        EngineOwning.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        5.0.RegAsm.exe.410000.3.unpack100%AviraHEUR/AGEN.1143193Download File
                        5.0.RegAsm.exe.410000.0.unpack100%AviraHEUR/AGEN.1143193Download File
                        5.0.RegAsm.exe.410000.4.unpack100%AviraHEUR/AGEN.1143193Download File
                        5.0.RegAsm.exe.410000.1.unpack100%AviraHEUR/AGEN.1143193Download File
                        5.0.RegAsm.exe.410000.2.unpack100%AviraHEUR/AGEN.1143193Download File
                        5.2.RegAsm.exe.410000.0.unpack100%AviraHEUR/AGEN.1143193Download File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://service.r0%URL Reputationsafe
                        http://tempuri.org/Entity/Id12Response0%URL Reputationsafe
                        http://tempuri.org/0%URL Reputationsafe
                        http://tempuri.org/Entity/Id2Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id21Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id90%URL Reputationsafe
                        http://tempuri.org/Entity/Id80%URL Reputationsafe
                        http://tempuri.org/Entity/Id50%URL Reputationsafe
                        http://tempuri.org/Entity/Id70%URL Reputationsafe
                        http://tempuri.org/Entity/Id60%URL Reputationsafe
                        http://tempuri.org/Entity/Id19Response0%URL Reputationsafe
                        http://www.interoperabilitybridges.com/wmp-extension-for-chrome0%URL Reputationsafe
                        http://tempuri.org/Entity/Id15Response0%URL Reputationsafe
                        http://support.a0%URL Reputationsafe
                        http://tempuri.org/Entity/Id6Response0%URL Reputationsafe
                        https://api.ip.sb/ip0%URL Reputationsafe
                        http://tempuri.org/Entity/Id9Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id200%URL Reputationsafe
                        http://tempuri.org/Entity/Id210%URL Reputationsafe
                        http://tempuri.org/Entity/Id220%URL Reputationsafe
                        http://tempuri.org/Entity/Id230%URL Reputationsafe
                        http://tempuri.org/Entity/Id240%URL Reputationsafe
                        http://tempuri.org/Entity/Id24Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id1Response0%URL Reputationsafe
                        http://forms.rea0%URL Reputationsafe
                        http://tempuri.org/Entity/Id100%URL Reputationsafe
                        http://tempuri.org/Entity/Id110%URL Reputationsafe
                        http://tempuri.org/Entity/Id120%URL Reputationsafe
                        http://tempuri.org/Entity/Id16Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id130%URL Reputationsafe
                        http://tempuri.org/Entity/Id140%URL Reputationsafe
                        http://c9d0e790b353537889bd47a364f5acff43c11f245.xyz/verify.php?id=6_9c62e81794dbd165f64b48a8f80001a0%Avira URL Cloudsafe
                        http://tempuri.org/Entity/Id150%URL Reputationsafe
                        http://tempuri.org/Entity/Id160%URL Reputationsafe
                        http://tempuri.org/Entity/Id170%URL Reputationsafe
                        http://tempuri.org/Entity/Id180%URL Reputationsafe
                        http://tempuri.org/Entity/Id5Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id190%URL Reputationsafe
                        http://tempuri.org/Entity/Id10Response0%URL Reputationsafe
                        http://tempuri.org/Entity/Id8Response0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                            		high
                            https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpfalse
                              		high
                              http://service.rRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpfalse
                                  		high
                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/faultTRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://tempuri.org/RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id9RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                            		high
                                            http://tempuri.org/Entity/Id8RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://tempuri.org/Entity/Id5RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                              		high
                                              http://tempuri.org/Entity/Id7RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://tempuri.org/Entity/Id6RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                		high
                                                https://support.google.com/chrome/?p=plugin_realRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.interoperabilitybridges.com/wmp-extension-for-chromeRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://support.google.com/chrome/?p=plugin_pdfRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://forms.real.com/real/realone/download.html?type=rpsp_usRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://support.aRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://api.ip.sb/ipEngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, EngineOwning.exe, 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exeRegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://support.google.com/chrome/?p=plugin_quicktimeRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759060472.000000000375A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756260219.0000000002668000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756077413.00000000025A6000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758449216.00000000036E8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.758052607.0000000003677000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.759163328.00000000037CB000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757494883.0000000003594000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756415112.000000000272A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.757756961.0000000003606000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://tempuri.org/Entity/Id23RegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/Id24RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              https://support.google.com/chrome/?p=plugin_shockwaveRegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://forms.reaRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id10RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id11RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000005.00000002.756470118.0000000002740000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id13RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id14RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://c9d0e790b353537889bd47a364f5acff43c11f245.xyz/verify.php?id=6_9c62e81794dbd165f64b48a8f80001aEngineOwning.exe, 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, EngineOwning.exe, 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id15RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id16RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://tempuri.org/Entity/Id17RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id18RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id19RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                https://support.google.com/chrome/?p=plugin_wmpRegAsm.exe, 00000005.00000002.756133106.00000000025BC000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756597163.00000000027BA000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.google.com/chrome/answer/6258784RegAsm.exe, 00000005.00000002.756313688.000000000267E000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000005.00000002.755908467.0000000002462000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000005.00000002.755827270.00000000023C1000.00000004.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                95.143.177.66
                                                                                                                                                		unknownRussian Federation
                                                                                                                                                		25560RHTEC-ASrh-tecIPBackboneDEtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                Analysis ID:547406
                                                                                                                                                Start date:03.01.2022
                                                                                                                                                Start time:16:10:12
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 7m 45s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:EngineOwning.exe
                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal96.troj.spyw.evad.winEXE@3/2@0/1
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 0.4% (good quality ratio 0.4%)
                                                                                                                                                • Quality average: 73.7%
                                                                                                                                                • Quality standard deviation: 27.5%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .exe
                                                                                                                                                Warnings:
                                                                                                                                                • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                Simulations

                                                                                                                                                TimeTypeDescription
                                                                                                                                                16:11:49API Interceptor10x Sleep call for process: RegAsm.exe modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                No context

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                No context

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EngineOwning.exe.log
                                                                                                                                                Process:C:\Users\user\Desktop\EngineOwning.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):1299
                                                                                                                                                Entropy (8bit):5.353835388147306
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhgLE4qE4qXKIE4oKFKHKoZAE4Kzr7FE8:MIHK5HKXE1qHiYHKhQnogLHqHitHoxH5
                                                                                                                                                MD5:2D253637B9909B1E05AF430FE1AC0EE5
                                                                                                                                                SHA1:7CE166A8E327F659BE3D67AEA3CB62D6A0FB4CC4
                                                                                                                                                SHA-256:D6505CE2823493D0F30B7BFFE23336C1814A4EE71F54599199E35938C7930C9D
                                                                                                                                                SHA-512:C799072C4354B07D2AA336BF78FE2219175D907B993807A3555FE3730C38417E7825A6D2129D3EBB4CE93B11ED65173E8127CA615704F052A071637A5DCA44B1
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configurat
                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):2291
                                                                                                                                                Entropy (8bit):5.3192079301865585
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:48:MOfHK5HKXAHKhBHK1HmHKB1AHKzvQTHmYHKhQnoPtHoxHImHKoLHG1qHjHKdH5HX:vq5qXAqLq1GqUqzcGYqhQnoPtIxHbqoW
                                                                                                                                                MD5:A71F1AACAC3E9481B51D1278FA231155
                                                                                                                                                SHA1:04D4954EAFA44AF0EB063C448DF7F2252224B608
                                                                                                                                                SHA-256:2FEA0ECA1C1F9356EE85EA8A4842249B67492917261245741CDC7C3AF4825A9D
                                                                                                                                                SHA-512:BB573C1E9182E7896A142BD812201EDE1F277CC498D34F68D870A3A7BDCFC3B7AF8A74FE37D79A351DA734013A66C38C30A877645F8EF7D7A62DDE6496F1416C
                                                                                                                                                Malicious:false
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Entropy (8bit):5.806655639060249
                                                                                                                                                TrID:
                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                File name:EngineOwning.exe
                                                                                                                                                File size:1026952
                                                                                                                                                MD5:b048329a4a46bad452d55722a532c911
                                                                                                                                                SHA1:438f8eb6525d96f08063d22e4028ad8df322c9ac
                                                                                                                                                SHA256:50c5913eb4e35d0676563b4f4dbe9111dfef559c11a8acdb378e7049979c4dca
                                                                                                                                                SHA512:a2bba29c6ef471c277b1e4eb7f096d416fc961da5b8fbdf03205795923da762cc03a596875bc83fe8dc465c27c6bc2fbe3c91d4c54a16f169d07a891f6f8f082
                                                                                                                                                SSDEEP:12288:ZVZ+5Mshjv3PfKybWP3XAKOAuRXyhLaDW5hLwWqM4y5jTKNi8:ZV4gP3XLYVywSlZ
                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..~............... ........@.. ....................................@................................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:00828e8e8686b000

                                                                                                                                                Static PE Info

                                                                                                                                                General

                                                                                                                                                Entrypoint:0x4f9dbe
                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                Digitally signed:true
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                Subsystem:windows gui
                                                                                                                                                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                                Time Stamp:0xE183BFE4 [Tue Nov 22 14:25:40 2089 UTC]
                                                                                                                                                TLS Callbacks:
                                                                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                                                                OS Version Major:4
                                                                                                                                                OS Version Minor:0
                                                                                                                                                File Version Major:4
                                                                                                                                                File Version Minor:0
                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                Authenticode Signature

                                                                                                                                                Signature Valid:false
                                                                                                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                                                Error Number:-2146869232
                                                                                                                                                Not Before, Not After
                                                                                                                                                • 9/2/2021 8:33:02 PM 9/1/2022 8:33:02 PM
                                                                                                                                                Subject Chain
                                                                                                                                                • CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                                                                Version:3
                                                                                                                                                Thumbprint MD5:550C27BE6F1184B6CC93B4B4E2EA9D58
                                                                                                                                                Thumbprint SHA-1:C9CAEDC2CECF953E812C6446D41927B9864BB880
                                                                                                                                                Thumbprint SHA-256:63E8D95BCEE4522E6380E7F9305A676C0880AD93AD3BA9CB53FE43D6081A1025
                                                                                                                                                Serial:3300000255181DA42EE086FC15000000000255
                                                                                                                                                Instruction
                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xf9d700x4b.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xfa0000x5de.rsrc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xf88000x2388
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xfc0000xc.reloc
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                Sections

                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                .text0x20000xf7dc40xf7e00False0.370541201778data5.78305740441IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                                .rsrc0xfa0000x5de0x600False0.445963541667data4.32257721481IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                .reloc0xfc0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                                                                RT_VERSION0xfa0a00x352data
                                                                                                                                                RT_MANIFEST0xfa3f40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                DLLImport
                                                                                                                                                mscoree.dll_CorExeMain
                                                                                                                                                DescriptionData
                                                                                                                                                Translation0x0000 0x04b0
                                                                                                                                                LegalCopyrightCopyright 2021 FCVqMFFJZ
                                                                                                                                                Assembly Version3.69.50.74
                                                                                                                                                InternalNameRvqKAZK.exe
                                                                                                                                                FileVersion3.69.50.74
                                                                                                                                                CompanyNameFCVqMFFJZ
                                                                                                                                                LegalTrademarks
                                                                                                                                                CommentsRLUbIhb
                                                                                                                                                ProductNameRLUbIhb
                                                                                                                                                ProductVersion3.69.50.74
                                                                                                                                                FileDescriptionRLUbIhb
                                                                                                                                                OriginalFilenameRvqKAZK.exe

                                                                                                                                                Network Behavior

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Jan 3, 2022 16:11:35.650028944 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:35.711026907 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:35.711128950 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:35.965734005 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:36.027057886 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:36.151510000 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:37.018564939 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:37.080147982 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:37.135984898 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:43.482605934 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:43.545499086 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:43.545550108 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:43.545588017 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:43.545785904 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:46.615876913 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:46.677462101 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:46.730525017 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:46.808473110 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:46.869672060 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:46.869951963 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:46.918051958 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.350881100 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.412200928 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.412237883 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.412265062 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.412292957 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.412317038 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.412359953 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.412482977 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.412504911 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.412528992 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.412555933 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473577976 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473633051 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473659992 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473689079 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473715067 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473738909 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473750114 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473766088 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473819017 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473828077 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473845005 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473853111 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473860979 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473880053 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.473881006 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473901033 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473921061 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473941088 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.473965883 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.474014997 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.474091053 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.474164963 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.474193096 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.474219084 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.474234104 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.474406958 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.534921885 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.534964085 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535002947 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535041094 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535078049 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535270929 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535357952 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535382032 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535484076 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535593987 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535680056 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535754919 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535837889 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535866022 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.535959959 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536082983 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536108017 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536406994 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536436081 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536461115 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536488056 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.536603928 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.592139959 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.592317104 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.592350006 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.592434883 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.592506886 CET497659006192.168.2.495.143.177.66
                                                                                                                                                Jan 3, 2022 16:11:47.653141975 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653184891 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653218985 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653255939 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653292894 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653491020 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653520107 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653597116 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653675079 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653796911 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653872967 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.653966904 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.654043913 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.654308081 CET90064976595.143.177.66192.168.2.4
                                                                                                                                                Jan 3, 2022 16:11:47.654333115 CET90064976595.143.177.66192.168.2.4

                                                                                                                                                Code Manipulations

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: EngineOwning.exe PID: 2340 Parent PID: 5188

                                                                                                                                                General

                                                                                                                                                Start time:16:10:59
                                                                                                                                                Start date:03/01/2022
                                                                                                                                                Path:C:\Users\user\Desktop\EngineOwning.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:"C:\Users\user\Desktop\EngineOwning.exe"
                                                                                                                                                Imagebase:0x250000
                                                                                                                                                File size:1026952 bytes
                                                                                                                                                MD5 hash:B048329A4A46BAD452D55722A532C911
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.700141930.00000000036E9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.700163830.000000000370A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:low
                                                                                                                                                Show Windows behavior

                                                                                                                                                File Activities

                                                                                                                                                Analysis Process: RegAsm.exe PID: 6012 Parent PID: 2340

                                                                                                                                                General

                                                                                                                                                Start time:16:11:21
                                                                                                                                                Start date:03/01/2022
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:#cmd
                                                                                                                                                Imagebase:0x30000
                                                                                                                                                File size:64616 bytes
                                                                                                                                                MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.694320887.0000000000412000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.694968676.0000000000412000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.754722189.0000000000412000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.693963090.0000000000412000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000000.694643884.0000000000412000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                Reputation:high
                                                                                                                                                Show Windows behavior

                                                                                                                                                File Activities

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis