Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GipsonyVelo.exe

Overview

General Information

Sample name:GipsonyVelo.exe
Analysis ID:1519528
MD5:32c704b735a160a7be83180338c22fb4
SHA1:9b6b049909a912ef709732ab4cc043bbe6c3af0c
SHA256:0bb944b7f90288ef7c566a82fb8dcbf805d10b442e30fbce06380907f75c0ed7
Tags:exeRedLineStealeruser-yuyuko
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • GipsonyVelo.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\GipsonyVelo.exe" MD5: 32C704B735A160A7BE83180338C22FB4)
    • conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 5804 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.196.9.26:6302", "Authorization Header": "67bd855e4ce847859f82655be579f403"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: GipsonyVelo.exe PID: 5640JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.GipsonyVelo.exe.3ab5570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.GipsonyVelo.exe.3ab5570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    3.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T16:29:08.319656+020020432341A Network Trojan was detected185.196.9.266302192.168.2.549724TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T16:29:08.128028+020020432311A Network Trojan was detected192.168.2.549724185.196.9.266302TCP
                      2024-09-26T16:29:13.373808+020020432311A Network Trojan was detected192.168.2.549724185.196.9.266302TCP
                      2024-09-26T16:29:15.535799+020020432311A Network Trojan was detected192.168.2.549724185.196.9.266302TCP
                      2024-09-26T16:29:15.789467+020020432311A Network Trojan was detected192.168.2.549724185.196.9.266302TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T16:29:15.179544+020020460561A Network Trojan was detected185.196.9.266302192.168.2.549724TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-26T16:29:08.128028+020020460451A Network Trojan was detected192.168.2.549724185.196.9.266302TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.196.9.26:6302", "Authorization Header": "67bd855e4ce847859f82655be579f403"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: GipsonyVelo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: GipsonyVelo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06CE2958h3_2_06CE2460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 06CE0553h3_2_06CE0290

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.5:49724 -> 185.196.9.26:6302
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.5:49724 -> 185.196.9.26:6302
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.196.9.26:6302 -> 192.168.2.5:49724
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.196.9.26:6302 -> 192.168.2.5:49724
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 185.196.9.26:6302
                      Source: global trafficTCP traffic: 192.168.2.5:49724 -> 185.196.9.26:6302
                      Source: Joe Sandbox ViewIP Address: 185.196.9.26 185.196.9.26
                      Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: GipsonyVelo.exe, 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: GipsonyVelo.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 307712
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0109DC743_2_0109DC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEE6A03_2_06CEE6A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE24603_2_06CE2460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEA52A3_2_06CEA52A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE53C83_2_06CE53C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE43B83_2_06CE43B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE0CD03_2_06CE0CD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEDE403_2_06CEDE40
                      Source: GipsonyVelo.exe, 00000000.00000002.2151803150.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs GipsonyVelo.exe
                      Source: GipsonyVelo.exe, 00000000.00000002.2153563727.0000000003AE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLandings.exe8 vs GipsonyVelo.exe
                      Source: GipsonyVelo.exe, 00000000.00000000.2127395128.00000000005C0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exe< vs GipsonyVelo.exe
                      Source: GipsonyVelo.exeBinary or memory string: OriginalFilenameVQP.exe< vs GipsonyVelo.exe
                      Source: GipsonyVelo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: GipsonyVelo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/3@0/1
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GipsonyVelo.exe.logJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: GipsonyVelo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: GipsonyVelo.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\GipsonyVelo.exe "C:\Users\user\Desktop\GipsonyVelo.exe"
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: GipsonyVelo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: GipsonyVelo.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: GipsonyVelo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE3E10 push esp; ret 3_2_06CE3EC9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEDCF9 push FFFFFF8Bh; iretd 3_2_06CEDD03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEDD9F push FFFFFF8Bh; iretd 3_2_06CEDDA2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CEDD44 push FFFFFF8Bh; iretd 3_2_06CEDD4E
                      Source: GipsonyVelo.exeStatic PE information: section name: .text entropy: 7.9942096469448165
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2A80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 597Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1573Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exe TID: 3524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5728Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5344Thread sleep count: 597 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5344Thread sleep count: 1573 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: RegAsm.exe, 00000003.00000002.2243765956.00000000010E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000003E1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: RegAsm.exe, 00000003.00000002.2248982984.0000000004107000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_06CE0CD0 LdrInitializeThunk,3_2_06CE0CD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeCode function: 0_2_02AB214D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,0_2_02AB214D
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D03008Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\GipsonyVelo.exeQueries volume information: C:\Users\user\Desktop\GipsonyVelo.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2258373771.0000000006E0B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2256522744.0000000005EFB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.GipsonyVelo.exe.3ab5570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GipsonyVelo.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GipsonyVelo.exe PID: 5640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5804, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5804, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.GipsonyVelo.exe.3ab5570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.GipsonyVelo.exe.3ab5570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: GipsonyVelo.exe PID: 5640, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5804, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		231
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%Avira URL Cloudsafe
                      http://tempuri.org/0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/sc0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/08/addressing0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                      185.196.9.26:63020%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%Avira URL Cloudsafe
                      http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id3ResponseD0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2005/02/trust0%Avira URL Cloudsafe
                      http://tempuri.org/Entity/Id23Response0%Avira URL Cloudsafe
                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT0%Avira URL Cloudsafe
                      http://tempuri.org/D0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      fp2e7a.wpc.phicdn.net
                      		192.229.221.95
                      		truefalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        185.196.9.26:6302true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/ac/?q=RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id4RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id7RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ip.sb/ipGipsonyVelo.exe, 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id21RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id22RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23RegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id11RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id12RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id13RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id14RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id15RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id16RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id18RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id19RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegAsm.exe, 00000003.00000002.2244883002.00000000033C0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2248982984.0000000003DAB000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/02/trustRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id3ResponseDRegAsm.exe, 00000003.00000002.2244883002.0000000002F2A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/Entity/Id23ResponseRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2244883002.0000000002D71000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://tempuri.org/DRegAsm.exe, 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.196.9.26
                        		unknownSwitzerland
                        		42624SIMPLECARRIERCHtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1519528
                        Start date and time:2024-09-26 16:28:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 20s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:GipsonyVelo.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/3@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 22
                        • Number of non-executed functions: 2
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.190.159.64, 40.126.31.71, 20.190.159.75, 20.190.159.23, 40.126.31.69, 20.190.159.73, 20.190.159.71, 20.190.159.0
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ocsp.edge.digicert.com, ctldl.windowsupdate.com, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: GipsonyVelo.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        10:29:13API Interceptor12x Sleep call for process: RegAsm.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.196.9.26sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                          HotYVOv1.exeGet hashmaliciousRedLineBrowse
                            sloppyCatsV1.exeGet hashmaliciousRedLineBrowse
                              UltraViolince.exeGet hashmaliciousRedLineBrowse
                                GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                  GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                    UIExecutor.exeGet hashmaliciousRedLineBrowse
                                      i0OvRpJuq7.exeGet hashmaliciousRedLineBrowse
                                        IrisKevin533Rachel.lib.exeGet hashmaliciousRedLineBrowse
                                          Loader.exeGet hashmaliciousRedLineBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            fp2e7a.wpc.phicdn.nethttps://dyjh.invdigitaldocs.com/Yp45gGet hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            https://fub.direct/1/-vWjF5-zkXOO9FYu1PvcR9oL_v9wxWQugIahU1Sumip1aJEFjv7arGFxl8RwHXdse9Zqfr-Geb0wD7JwZstmrogxBkr93dacZn8BO2DpKYk/https/goncalvesalexandre.com/g63f/5876983556/Marlpar/#?email=amhAbWFybHBhci5jb20=Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            https://uwazidigital.co.ke/mde/anti.php/Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            file.exeGet hashmaliciousPhorpiexBrowse
                                            • 192.229.221.95
                                            SWIFT.exeGet hashmaliciousFormBookBrowse
                                            • 192.229.221.95
                                            http://erptanacsadas.hu.pages.services/secure-business-document/?ts=1726767567620Get hashmaliciousHtmlDropperBrowse
                                            • 192.229.221.95
                                            https://urbantechvibeos.za.com/xnVG/Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            https://finalsteptogo.com/uploads/il4.txtGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95
                                            http://t.nypost.com/1/e/r?aqet=clk&r=2&ca=35257893&v0=rhn21600@pvwfzajcv.com&yf=//youtube.com.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&ru=//eddieslawn.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==&yf=//eduyieldyf.com/q/ndppd/aanqtpx/YW1hbmRhLm1pbGxlckB5Ym9ubGluZS5jby51aw==Get hashmaliciousHTMLPhisherBrowse
                                            • 192.229.221.95
                                            https://game-repack.site/2024/09/26/bloodborneGet hashmaliciousUnknownBrowse
                                            • 192.229.221.95

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            SIMPLECARRIERCHsRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                            • 185.196.9.26
                                            zrOUNP9gMJ.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                            • 185.196.10.235
                                            Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                            • 185.196.10.235
                                            KAV3vJud90.exeGet hashmaliciousDarkVision RatBrowse
                                            • 185.196.10.235
                                            updater.exeGet hashmaliciousRHADAMANTHYSBrowse
                                            • 185.196.11.237
                                            HotYVOv1.exeGet hashmaliciousRedLineBrowse
                                            • 185.196.9.26
                                            VtkzI2DleKAWijQ.exeGet hashmaliciousAgentTeslaBrowse
                                            • 185.196.9.150
                                            sloppyCatsV1.exeGet hashmaliciousRedLineBrowse
                                            • 185.196.9.26
                                            UltraViolince.exeGet hashmaliciousRedLineBrowse
                                            • 185.196.9.26
                                            GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                            • 185.196.9.26

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GipsonyVelo.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\GipsonyVelo.exe
                                            File Type:CSV text
                                            Category:modified
                                            Size (bytes):425
                                            Entropy (8bit):5.353683843266035
                                            Encrypted:false
                                            SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                            MD5:859802284B12C59DDBB85B0AC64C08F0
                                            SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                            SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                            SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                            Download File
                                            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):3094
                                            Entropy (8bit):5.33145931749415
                                            Encrypted:false
                                            SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                            MD5:3FD5C0634443FB2EF2796B9636159CB6
                                            SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                            SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                            SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            \Device\ConDrv

                                            Download File
                                            Process:C:\Users\user\Desktop\GipsonyVelo.exe
                                            File Type:ASCII text, with CRLF, LF line terminators
                                            Category:dropped
                                            Size (bytes):33
                                            Entropy (8bit):2.2845972159140855
                                            Encrypted:false
                                            SSDEEP:3:i6vvRyMivvRya:iKvHivD
                                            MD5:45B4C82B8041BF0F9CCED0D6A18D151A
                                            SHA1:B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
                                            SHA-256:7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
                                            SHA-512:B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:0..1..2..3..4..0..1..2..3..4.....

                                            Static File Info

                                            General

                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.986143734545745
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:GipsonyVelo.exe
                                            File size:317'952 bytes
                                            MD5:32c704b735a160a7be83180338c22fb4
                                            SHA1:9b6b049909a912ef709732ab4cc043bbe6c3af0c
                                            SHA256:0bb944b7f90288ef7c566a82fb8dcbf805d10b442e30fbce06380907f75c0ed7
                                            SHA512:d27fb8f00aa5eb3cb42a097fec599313d78668d3c4a46c7df44d56c512545d84eac3620e7cd34b7c5885bbd3807336c6a33a1c40544e45ad192bc127bb2a9fdb
                                            SSDEEP:6144:cU5CyCwjYmbw989W+WB+C7ssB2NaPIB1RQHrh7sq4WBhxtbImbyu:hCDXYwGpSQEtHrebWBntk
                                            TLSH:61642391FBF40F11EBD50B3C60A1865D92BE8C3BB005BBB71DD29A1A2AC47505BC27B4
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@.f................................. ........@.. .......................@............`................................

                                            File Icon

                                            Icon Hash:00928e8e8686b000

                                            Static PE Info

                                            General

                                            Entrypoint:0x44eeee
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows cui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x66F5409C [Thu Sep 26 11:08:12 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x4ee940x57.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x5b8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x4ed5c0x1c.text
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000x4cef40x4d000a9061dff8dd0dd7576158d94766075d3False0.993062601461039data7.9942096469448165IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0x500000x5b80x60059c39f15f05bc5bec30f54a84b9c8ed2False0.4361979166666667data4.110921347030149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x520000xc0x200373b43510c617123c37336c865c655e3False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0x500a00x324data0.4552238805970149
                                            RT_MANIFEST0x503c80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-09-26T16:29:08.128028+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549724185.196.9.266302TCP
                                            2024-09-26T16:29:08.128028+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.549724185.196.9.266302TCP
                                            2024-09-26T16:29:08.319656+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.196.9.266302192.168.2.549724TCP
                                            2024-09-26T16:29:13.373808+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549724185.196.9.266302TCP
                                            2024-09-26T16:29:15.179544+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.196.9.266302192.168.2.549724TCP
                                            2024-09-26T16:29:15.535799+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549724185.196.9.266302TCP
                                            2024-09-26T16:29:15.789467+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.549724185.196.9.266302TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 26, 2024 16:29:07.445354939 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:07.450259924 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:07.450347900 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:07.459527969 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:07.464503050 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:08.094620943 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:08.128027916 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:08.132896900 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:08.319655895 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:08.370307922 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:13.373807907 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:13.379142046 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569752932 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569797039 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569816113 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569828033 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569839954 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569839001 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:13.569852114 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:13.569875002 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:13.569905996 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.174451113 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.179543972 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179560900 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179573059 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179584980 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179596901 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179604053 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.179610968 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179625988 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179639101 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.179672956 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.179688931 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.179825068 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179838896 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.179869890 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184484005 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184622049 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184634924 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184655905 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184668064 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184679985 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.184818983 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.185379028 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.185391903 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.185404062 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.534878969 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.535799026 CEST497246302192.168.2.5185.196.9.26
                                            Sep 26, 2024 16:29:15.540957928 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.750858068 CEST630249724185.196.9.26192.168.2.5
                                            Sep 26, 2024 16:29:15.789467096 CEST497246302192.168.2.5185.196.9.26

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Sep 26, 2024 16:29:20.886109114 CEST53635541.1.1.1192.168.2.5

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Sep 26, 2024 16:29:01.932760954 CEST1.1.1.1192.168.2.50xe5f3No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                            Sep 26, 2024 16:29:01.932760954 CEST1.1.1.1192.168.2.50xe5f3No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:10:29:03
                                            Start date:26/09/2024
                                            Path:C:\Users\user\Desktop\GipsonyVelo.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\GipsonyVelo.exe"
                                            Imagebase:0x570000
                                            File size:317'952 bytes
                                            MD5 hash:32C704B735A160A7BE83180338C22FB4
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2153563727.0000000003AB5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:10:29:03
                                            Start date:26/09/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:10:29:05
                                            Start date:26/09/2024
                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                            Imagebase:0x7ff6d64d0000
                                            File size:65'440 bytes
                                            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2242328153.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2244883002.0000000002E04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:38.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:30%
                                              Total number of Nodes:20
                                              Total number of Limit Nodes:0
                                              execution_graph 514 2ab214d 518 2ab2185 CreateProcessA VirtualAlloc Wow64GetThreadContext ReadProcessMemory VirtualAllocEx 514->518 516 2ab2362 WriteProcessMemory 517 2ab23a7 516->517 519 2ab23e9 WriteProcessMemory Wow64SetThreadContext ResumeThread 517->519 520 2ab23ac WriteProcessMemory 517->520 518->516 520->517 539 ff0979 540 ff0988 539->540 541 ff0ad6 540->541 542 ff1268 VirtualProtectEx 540->542 543 ff1270 VirtualProtectEx 540->543 542->541 543->541 521 ff0988 522 ff09aa 521->522 523 ff0ad6 522->523 526 ff1268 522->526 530 ff1270 522->530 527 ff126e VirtualProtectEx 526->527 529 ff12ff 527->529 529->523 531 ff12bb VirtualProtectEx 530->531 533 ff12ff 531->533 533->523

                                              Callgraph

                                              • Executed
                                              • Not Executed
                                              • Opacity -> Relevance
                                              • Disassembly available
                                              callgraph 0 Function_00FF047D 1 Function_00FF027C 2 Function_00FF0479 3 Function_00FF0979 10 Function_00FF1270 3->10 18 Function_00FF1268 3->18 32 Function_00FF0C58 3->32 44 Function_00FF0548 3->44 52 Function_00FF0B40 3->52 54 Function_00FF053C 3->54 60 Function_00FF0530 3->60 66 Function_00FF0524 3->66 4 Function_00FF0178 5 Function_00FF01F8 6 Function_00FF0475 7 Function_00FF10F4 14 Function_00FF026C 7->14 8 Function_02AB1FA6 9 Function_00FF0471 11 Function_00FF0070 12 Function_00FF00F0 13 Function_00FF046D 15 Function_00FF01EC 16 Function_00FF0469 17 Function_00FF08E8 19 Function_02AB1D33 20 Function_00FF0165 21 Function_00FF0465 22 Function_00FF00E4 23 Function_00FF0461 24 Function_00FF0561 25 Function_00FF0060 26 Function_00FF0260 27 Function_00FF04DF 28 Function_00FF0F5F 28->14 29 Function_00FF045D 30 Function_00FF055D 31 Function_00FF0559 33 Function_00FF08D8 34 Function_00FF0A57 34->10 34->18 34->32 34->44 34->52 34->54 34->60 35 Function_00FF01D5 36 Function_00FF0555 37 Function_00FF0154 38 Function_00FF00D4 39 Function_00FF0450 40 Function_00FF004D 41 Function_00FF04C9 42 Function_00FF0148 43 Function_00FF00C8 45 Function_00FF0848 46 Function_00FF0BC8 47 Function_00FF04C5 48 Function_00FF0845 49 Function_00FF0244 50 Function_00FF0444 51 Function_00FF04C1 53 Function_00FF01C0 54->14 55 Function_00FF00BC 56 Function_00FF013C 57 Function_00FF01B4 58 Function_00FF0234 59 Function_00FF00B0 60->14 61 Function_00FF1330 62 Function_00FF012C 63 Function_00FF10AC 63->14 64 Function_00FF01A8 65 Function_00FF10A6 67 Function_00FF0224 68 Function_00FF00A0 69 Function_00FF011C 70 Function_00FF121C 70->14 71 Function_02AB214D 72 Function_00FF0198 73 Function_00FF0498 74 Function_00FF0518 75 Function_00FF1216 76 Function_00FF0015 77 Function_00FF0214 78 Function_00FF0090 79 Function_00FF0B10 79->52 80 Function_00FF010C 81 Function_00FF0988 81->10 81->18 81->32 81->44 81->52 81->54 81->60 81->66 82 Function_00FF0188 83 Function_00FF0208 84 Function_00FF0100 85 Function_00FF0080

                                              Executed Functions

                                              Function 02AB214D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02AB20BF,02AB20AF), ref: 02AB22BC
                                              • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02AB22CF
                                              • Wow64GetThreadContext.KERNEL32(000000AC,00000000), ref: 02AB22ED
                                              • ReadProcessMemory.KERNELBASE(000000A8,?,02AB2103,00000004,00000000), ref: 02AB2311
                                              • VirtualAllocEx.KERNELBASE(000000A8,?,?,00003000,00000040), ref: 02AB233C
                                              • WriteProcessMemory.KERNELBASE(000000A8,00000000,?,?,00000000,?), ref: 02AB2394
                                              • WriteProcessMemory.KERNELBASE(000000A8,00400000,?,?,00000000,?,00000028), ref: 02AB23DF
                                              • WriteProcessMemory.KERNELBASE(000000A8,-00000008,?,00000004,00000000), ref: 02AB241D
                                              • Wow64SetThreadContext.KERNEL32(000000AC,01010000), ref: 02AB2459
                                              • ResumeThread.KERNELBASE(000000AC), ref: 02AB2468
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2152473775.0000000002AB1000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AB1000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2ab1000_GipsonyVelo.jbxd
                                              Similarity
                                              • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                              • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                              • API String ID: 2687962208-1257834847
                                              • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                              • Instruction ID: a0dd2bae30c0f3f318b58fe7d8219d575371dc4f6110394ac48c622f8a3a2f5c
                                              • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                              • Instruction Fuzzy Hash: 2FB1F67660024AAFDB60CF68CC80BDA77A9FF88714F158525EA08AB341D774FA41CB94
                                              Function 00FF1268 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 23 ff1268-ff12fd VirtualProtectEx 28 ff12ff 23->28 29 ff1304-ff1325 23->29 28->29
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FF12F0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2152325179.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_ff0000_GipsonyVelo.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: bffdeee65f707bde449108fb37376231917b65f01af633bdbe2c2eb3d9017031
                                              • Instruction ID: 67ac73d339557cffe5a086fd0b8228e13fe594edacebc1f24d5f7413c47df99a
                                              • Opcode Fuzzy Hash: bffdeee65f707bde449108fb37376231917b65f01af633bdbe2c2eb3d9017031
                                              • Instruction Fuzzy Hash: E721E2B1900249DFCB10DFAAC885AEEBFF4FF49310F10842AE919A7250C774A945DBA1
                                              Function 00FF1270 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 32 ff1270-ff12fd VirtualProtectEx 35 ff12ff 32->35 36 ff1304-ff1325 32->36 35->36
                                              APIs
                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00FF12F0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2152325179.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_ff0000_GipsonyVelo.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 43e40017334ecd72f6e9c121550fb40a0fc00a016d2afd6c2e3280924c3bb044
                                              • Instruction ID: cb7fd4fff7e5bc5212d59c3542884d288c7a3c88d545718f350942c7d3c75d5a
                                              • Opcode Fuzzy Hash: 43e40017334ecd72f6e9c121550fb40a0fc00a016d2afd6c2e3280924c3bb044
                                              • Instruction Fuzzy Hash: C921E2B1900249DFCB10DFAAC880AEEFBF5FF48310F50842AE919A7250C775A944CBA1

                                              Execution Graph

                                              Execution Coverage:12.8%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:73
                                              Total number of Limit Nodes:10
                                              execution_graph 27396 1094668 27397 1094684 27396->27397 27398 1094696 27397->27398 27400 10947a0 27397->27400 27401 10947c5 27400->27401 27405 10948a1 27401->27405 27409 10948b0 27401->27409 27407 10948b0 27405->27407 27406 10949b4 27406->27406 27407->27406 27413 1094248 27407->27413 27410 10948d7 27409->27410 27411 10949b4 27410->27411 27412 1094248 CreateActCtxA 27410->27412 27412->27411 27414 1095940 CreateActCtxA 27413->27414 27416 1095a03 27414->27416 27434 109ad38 27437 109ae30 27434->27437 27435 109ad47 27438 109ae41 27437->27438 27439 109ae64 27437->27439 27438->27439 27440 109b068 GetModuleHandleW 27438->27440 27439->27435 27441 109b095 27440->27441 27441->27435 27442 109d0b8 27443 109d0fe 27442->27443 27447 109d289 27443->27447 27451 109d298 27443->27451 27444 109d1eb 27448 109d298 27447->27448 27454 109c9a0 27448->27454 27452 109c9a0 DuplicateHandle 27451->27452 27453 109d2c6 27452->27453 27453->27444 27455 109d300 DuplicateHandle 27454->27455 27456 109d2c6 27455->27456 27456->27444 27417 6ce6ec3 27418 6ce6e5c 27417->27418 27422 6ce7f5b 27418->27422 27426 6ce7f60 27418->27426 27419 6ce6e7d 27423 6ce7fa8 27422->27423 27424 6ce7fb1 27423->27424 27430 6ce7c9c 27423->27430 27424->27419 27427 6ce7fa8 27426->27427 27428 6ce7fb1 27427->27428 27429 6ce7c9c LoadLibraryW 27427->27429 27428->27419 27429->27428 27431 6ce80a8 LoadLibraryW 27430->27431 27433 6ce811d 27431->27433 27433->27424 27457 6ce0150 27458 6ce0155 27457->27458 27459 6ce01e7 27458->27459 27466 6ce21ae 27458->27466 27470 6ce1770 27458->27470 27474 6ce0cd0 27458->27474 27478 6ce1a1b 27458->27478 27482 6ce0ccb 27458->27482 27486 6ce20cf 27458->27486 27467 6ce2198 27466->27467 27468 6ce0e30 27466->27468 27468->27467 27469 6ce164b LdrInitializeThunk 27468->27469 27469->27468 27472 6ce0e30 27470->27472 27471 6ce2198 27471->27471 27472->27471 27473 6ce164b LdrInitializeThunk 27472->27473 27473->27472 27477 6ce0cfd 27474->27477 27475 6ce2198 27475->27475 27476 6ce164b LdrInitializeThunk 27476->27477 27477->27475 27477->27476 27479 6ce0e30 27478->27479 27480 6ce2198 27479->27480 27481 6ce164b LdrInitializeThunk 27479->27481 27481->27479 27484 6ce0cd0 27482->27484 27483 6ce2198 27483->27483 27484->27483 27485 6ce164b LdrInitializeThunk 27484->27485 27485->27484 27489 6ce0e30 27486->27489 27487 6ce2198 27487->27487 27488 6ce164b LdrInitializeThunk 27488->27489 27489->27487 27489->27488

                                              Executed Functions

                                              Function 06CEA52A Relevance: 14.8, Strings: 11, Instructions: 1003COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: (_]q$(_]q$,aq$4c]q$4c]q$Haq$Nv\q$$]q$$]q$c]q$c]q
                                              • API String ID: 0-4229033683
                                              • Opcode ID: 9b3fdcdc3449fd25e09e51bc695e12c35df78cdb6704c9088f690c10109a0bc1
                                              • Instruction ID: 1e558d6a1fc6d62dc237b04ea1d223fa136cfc8ccc94b1aa83365630d10b347a
                                              • Opcode Fuzzy Hash: 9b3fdcdc3449fd25e09e51bc695e12c35df78cdb6704c9088f690c10109a0bc1
                                              • Instruction Fuzzy Hash: 1372B970F801298FCBA9ABBD496067D65E77FCCB00B20496DD04ADF394ED68CD418BA5
                                              Function 06CEE6A0 Relevance: 8.0, Strings: 6, Instructions: 466COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 669 6cee6a0-6cee6e9 671 6cee6ef-6cee71b call 6cee2e8 669->671 672 6cee7b7-6cee7c5 669->672 681 6cee73c-6cee740 671->681 682 6cee71d-6cee737 671->682 676 6cee7c7-6cee7da 672->676 677 6cee821-6cee825 672->677 676->677 685 6cee7dc-6cee7fb 676->685 679 6cee827-6cee833 677->679 680 6cee835-6cee83c 677->680 679->680 689 6cee83f-6cee867 679->689 680->689 687 6cee742-6cee74b 681->687 688 6cee761 681->688 701 6ceeb8b-6ceeb97 682->701 705 6ceeb88 685->705 692 6cee74d-6cee750 687->692 693 6cee752-6cee755 687->693 690 6cee764-6cee769 688->690 712 6ceea7d-6ceea88 689->712 713 6cee86d-6cee87b 689->713 690->672 695 6cee76b-6cee76f 690->695 694 6cee75f 692->694 693->694 694->690 698 6cee7a8-6cee7ae 695->698 699 6cee771-6cee78c 695->699 698->672 699->698 708 6cee78e-6cee794 699->708 705->701 710 6ceeb9a-6ceebae 708->710 711 6cee79a-6cee7a3 708->711 722 6ceebb5-6ceec18 710->722 711->701 718 6ceeabd-6ceeaf6 712->718 719 6ceea8a-6ceeaa1 712->719 720 6ceed25-6ceed38 713->720 721 6cee881-6cee894 713->721 729 6ceeb4c-6ceeb5f 718->729 730 6ceeaf8-6ceeb0f 718->730 719->718 737 6ceeaa3-6ceeaa9 719->737 727 6cee8bf-6cee8cd 721->727 728 6cee896-6cee8a3 721->728 741 6ceec1f-6ceec4f 722->741 727->720 740 6cee8d3-6cee8e8 727->740 728->727 738 6cee8a5-6cee8ab 728->738 733 6ceeb61 729->733 743 6ceeb18-6ceeb1a 730->743 733->705 737->741 742 6ceeaaf-6ceeab8 737->742 738->722 744 6cee8b1-6cee8ba 738->744 750 6cee8ea-6cee903 740->750 751 6cee908-6cee980 740->751 760 6ceecbb-6ceed1e 741->760 761 6ceec51-6ceecb4 741->761 742->701 745 6ceeb1c-6ceeb39 743->745 746 6ceeb3b-6ceeb4a 743->746 744->701 745->733 746->729 746->730 763 6cee986-6cee98d 750->763 751->763 760->720 761->760 763->712 765 6cee993-6cee9cc 763->765 774 6cee9ce-6cee9f5 call 6cee2e8 765->774 775 6ceea38-6ceea4b 765->775 788 6ceea16-6ceea36 774->788 789 6cee9f7-6ceea14 774->789 777 6ceea4d 775->777 777->712 788->774 788->775 789->777
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4']q$4|bq$$]q$$]q$$]q$$]q
                                              • API String ID: 0-3243459928
                                              • Opcode ID: 1b8e3308a1ef6819a722cdd139502025fc0f6ecab0011d6ff483036c7abfc91e
                                              • Instruction ID: 00faacbe06e162a81cdb297918708b44b18966ae60bde800572a0d92602bcb7a
                                              • Opcode Fuzzy Hash: 1b8e3308a1ef6819a722cdd139502025fc0f6ecab0011d6ff483036c7abfc91e
                                              • Instruction Fuzzy Hash: A3026D34B002198FDB54DF7AC894AAEBBF6BF88340F148469D849EB355DB349D41CB91
                                              Function 06CE43B8 Relevance: 6.6, Strings: 5, Instructions: 306COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 797 6ce43b8-6ce43d6 798 6ce43d8-6ce43e4 797->798 799 6ce43e6-6ce4403 797->799 800 6ce4407-6ce4413 798->800 799->800 801 6ce441c-6ce4425 800->801 802 6ce4415-6ce441a 800->802 803 6ce4428-6ce442a 801->803 802->803 804 6ce44b2-6ce44b6 803->804 805 6ce4430 803->805 806 6ce44ea-6ce4502 call 6ce3fb8 804->806 807 6ce44b8-6ce44d6 804->807 878 6ce4432 call 6ce47cb 805->878 879 6ce4432 call 6ce47d8 805->879 823 6ce4507-6ce4531 call 6ce40f0 806->823 807->806 817 6ce44d8-6ce44e5 call 6ce40f0 807->817 808 6ce4438-6ce4458 call 6ce40f0 814 6ce445a-6ce4466 808->814 815 6ce4468-6ce4485 808->815 818 6ce4489-6ce4495 814->818 815->818 826 6ce430b-6ce431b 817->826 821 6ce449e-6ce44a7 818->821 822 6ce4497-6ce449c 818->822 825 6ce44aa-6ce44ac 821->825 822->825 838 6ce4533-6ce453f 823->838 839 6ce4541-6ce455e 823->839 825->804 827 6ce46ce-6ce470e 825->827 829 6ce45ee-6ce460b 826->829 830 6ce4321-6ce4339 826->830 860 6ce4715-6ce476f 827->860 834 6ce4614-6ce461d 829->834 833 6ce433f-6ce4346 830->833 830->834 836 6ce434c-6ce4356 833->836 837 6ce4625-6ce46c7 833->837 834->837 837->827 840 6ce4562-6ce456e 838->840 839->840 842 6ce4574 840->842 843 6ce4570-6ce4572 840->843 845 6ce4577-6ce4579 842->845 843->845 845->826 847 6ce457f-6ce458f 845->847 849 6ce459f-6ce45bc 847->849 850 6ce4591-6ce459d 847->850 852 6ce45c0-6ce45cc 849->852 850->852 854 6ce45ce-6ce45d3 852->854 855 6ce45d5-6ce45de 852->855 857 6ce45e1-6ce45e3 854->857 855->857 859 6ce45e9 857->859 857->860 859->829 878->808 879->808
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq$Haq$Haq$Haq
                                              • API String ID: 0-1792267638
                                              • Opcode ID: c5e9ee0ab328606ba7204e1d43fc6e6c8446ea4b0fe8336cd0821b59696fa56f
                                              • Instruction ID: cff406ddba870bb888ea5231fe7d3ff343dde31e0e4addba6b792a184a587f58
                                              • Opcode Fuzzy Hash: c5e9ee0ab328606ba7204e1d43fc6e6c8446ea4b0fe8336cd0821b59696fa56f
                                              • Instruction Fuzzy Hash: 70C17D31E042568FCB59DF75D4502ADFBF2BF85300F25C66AD846AF241DB389A85CB90
                                              Function 06CE0CD0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1088COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 880 6ce0cd0-6ce0cfb 881 6ce0cfd 880->881 882 6ce0d02-6ce0d9e 880->882 881->882 885 6ce0df0-6ce0e2b 882->885 886 6ce0da0-6ce0dea 882->886 891 6ce2179-6ce2192 885->891 886->885 894 6ce2198-6ce21be 891->894 895 6ce0e30-6ce0fbf 891->895 898 6ce21cd 894->898 899 6ce21c0-6ce21cc 894->899 913 6ce2131-6ce214b 895->913 900 6ce21ce 898->900 899->898 900->900 915 6ce0fc4-6ce1108 913->915 916 6ce2151-6ce2175 913->916 932 6ce110a-6ce1136 915->932 933 6ce113b-6ce1182 915->933 916->891 936 6ce11c9-6ce1380 932->936 938 6ce11a7-6ce11b6 933->938 939 6ce1184-6ce11a5 933->939 961 6ce13d2-6ce13dd 936->961 962 6ce1382-6ce13cc 936->962 944 6ce11bc-6ce11c8 938->944 939->944 944->936 1116 6ce13e3 call 6ce22e8 961->1116 1117 6ce13e3 call 6ce22e3 961->1117 962->961 963 6ce13e9-6ce144d 969 6ce149f-6ce14aa 963->969 970 6ce144f-6ce1499 963->970 1128 6ce14b0 call 6ce22e8 969->1128 1129 6ce14b0 call 6ce22e3 969->1129 970->969 971 6ce14b6-6ce1519 977 6ce156b-6ce1576 971->977 978 6ce151b-6ce1565 971->978 1124 6ce157c call 6ce22e8 977->1124 1125 6ce157c call 6ce22e3 977->1125 978->977 980 6ce1582-6ce15bb 983 6ce1a34-6ce1abb 980->983 984 6ce15c1-6ce1624 980->984 995 6ce1abd-6ce1b13 983->995 996 6ce1b19-6ce1b24 983->996 992 6ce162b-6ce167d LdrInitializeThunk call 6ce0b6c 984->992 993 6ce1626 984->993 1002 6ce1682-6ce17aa call 6ce06e0 992->1002 993->992 995->996 1126 6ce1b2a call 6ce22e8 996->1126 1127 6ce1b2a call 6ce22e3 996->1127 998 6ce1b30-6ce1bbd 1013 6ce1bbf-6ce1c15 998->1013 1014 6ce1c1b-6ce1c26 998->1014 1034 6ce1a17-6ce1a33 1002->1034 1035 6ce17b0-6ce1802 1002->1035 1013->1014 1122 6ce1c2c call 6ce22e8 1014->1122 1123 6ce1c2c call 6ce22e3 1014->1123 1016 6ce1c32-6ce1caa 1027 6ce1cac-6ce1d02 1016->1027 1028 6ce1d08-6ce1d13 1016->1028 1027->1028 1120 6ce1d19 call 6ce22e8 1028->1120 1121 6ce1d19 call 6ce22e3 1028->1121 1030 6ce1d1f-6ce1d8b 1045 6ce1ddd-6ce1de8 1030->1045 1046 6ce1d8d-6ce1dd7 1030->1046 1034->983 1043 6ce1854-6ce18cf 1035->1043 1044 6ce1804-6ce184e 1035->1044 1059 6ce1921-6ce199b 1043->1059 1060 6ce18d1-6ce191b 1043->1060 1044->1043 1118 6ce1dee call 6ce22e8 1045->1118 1119 6ce1dee call 6ce22e3 1045->1119 1046->1045 1048 6ce1df4-6ce1e39 1061 6ce1f6f-6ce2118 1048->1061 1062 6ce1e3f-6ce1f6e 1048->1062 1076 6ce19ed-6ce1a16 1059->1076 1077 6ce199d-6ce19e7 1059->1077 1060->1059 1113 6ce211a-6ce212f 1061->1113 1114 6ce2130 1061->1114 1062->1061 1076->1034 1077->1076 1113->1114 1114->913 1116->963 1117->963 1118->1048 1119->1048 1120->1030 1121->1030 1122->1016 1123->1016 1124->980 1125->980 1126->998 1127->998 1128->971 1129->971
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ;
                                              • API String ID: 0-3823983468
                                              • Opcode ID: f62411379039c77df75db8174066ae30f5647a7fcb7ac57d97304b2c0d824e26
                                              • Instruction ID: 3ea29f030be24411d8c707eb7d516933d70a6f7276cff10f758859477b13c369
                                              • Opcode Fuzzy Hash: f62411379039c77df75db8174066ae30f5647a7fcb7ac57d97304b2c0d824e26
                                              • Instruction Fuzzy Hash: 99C28174E012298FCBA5DF24D898B9DBBB1BB49304F1085EAD40DAB354DB34AE85CF54
                                              Function 06CE2460 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1152 6ce2460-6ce2492 1153 6ce2499-6ce2565 1152->1153 1154 6ce2494 1152->1154 1159 6ce257a 1153->1159 1160 6ce2567-6ce2575 1153->1160 1154->1153 1223 6ce2580 call 6ce2ea6 1159->1223 1224 6ce2580 call 6ce2e16 1159->1224 1225 6ce2580 call 6ce2dd0 1159->1225 1226 6ce2580 call 6ce2d21 1159->1226 1161 6ce2a28-6ce2a35 1160->1161 1162 6ce2586-6ce25af 1227 6ce25b5 call 6cef7ab 1162->1227 1228 6ce25b5 call 6cef7b0 1162->1228 1164 6ce25bb-6ce2636 1170 6ce29b7-6ce29e1 1164->1170 1172 6ce263b-6ce2851 1170->1172 1173 6ce29e7-6ce2a26 1170->1173 1200 6ce285d-6ce28a7 1172->1200 1173->1161 1203 6ce28af-6ce28b1 1200->1203 1204 6ce28a9 1200->1204 1207 6ce28b8-6ce28bf 1203->1207 1205 6ce28ab-6ce28ad 1204->1205 1206 6ce28b3 1204->1206 1205->1203 1205->1206 1206->1207 1208 6ce2939-6ce295f 1207->1208 1209 6ce28c1-6ce2938 1207->1209 1211 6ce296c-6ce2978 1208->1211 1212 6ce2961-6ce296a 1208->1212 1209->1208 1214 6ce297e-6ce299d 1211->1214 1212->1214 1218 6ce299f-6ce29b2 1214->1218 1219 6ce29b3-6ce29b4 1214->1219 1218->1219 1219->1170 1223->1162 1224->1162 1225->1162 1226->1162 1227->1164 1228->1164
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: .$1
                                              • API String ID: 0-1839485796
                                              • Opcode ID: 9cf2e8c8b74cc0d2cd209b8c33f79ad1c360ade630d5bbb1196785c964a76990
                                              • Instruction ID: 01da0c56fe8f081a1696b8c0fe2e1a08a6987a395a683b170341add3aaca1cd4
                                              • Opcode Fuzzy Hash: 9cf2e8c8b74cc0d2cd209b8c33f79ad1c360ade630d5bbb1196785c964a76990
                                              • Instruction Fuzzy Hash: 59F1D274E01229CFDB68DF65C844BDDBBB2BF89305F1081AAD50AAB250DB359E85CF50
                                              Function 06CE53C8 Relevance: .8, Instructions: 814COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48ddb47a25dd58dfa24000addca4ff2b20f6797ddfe7c77a8e5324f811dd5da1
                                              • Instruction ID: be59e637ab1c8e2784b4b97921cfda0c9e3b849ec96efe6a230d83cb9c1e3bc5
                                              • Opcode Fuzzy Hash: 48ddb47a25dd58dfa24000addca4ff2b20f6797ddfe7c77a8e5324f811dd5da1
                                              • Instruction Fuzzy Hash: 3A82DEB4A10216CFDB65CF28E948B6D77F5BB58308F1442E8C8099B7A2EB369D45CF41
                                              Function 06CE0290 Relevance: .2, Instructions: 190COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3067ba4ee103a700453a938eef46b32b0f0e4ad2cd68a8ba4b313922470a56f9
                                              • Instruction ID: a93238150b919c5874a410fda0c0a93b3af51d66f050ee778fb7a92824ed748d
                                              • Opcode Fuzzy Hash: 3067ba4ee103a700453a938eef46b32b0f0e4ad2cd68a8ba4b313922470a56f9
                                              • Instruction Fuzzy Hash: 99910670E01219CFDB64DFA8D994B9DBBB2BF89300F1085A9D449BB350EB706A85CF51
                                              Function 0109AE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1457 109ae30-109ae3f 1458 109ae6b-109ae6f 1457->1458 1459 109ae41-109ae4e call 1099838 1457->1459 1461 109ae71-109ae7b 1458->1461 1462 109ae83-109aec4 1458->1462 1465 109ae50 1459->1465 1466 109ae64 1459->1466 1461->1462 1468 109aed1-109aedf 1462->1468 1469 109aec6-109aece 1462->1469 1515 109ae56 call 109b0b8 1465->1515 1516 109ae56 call 109b0c8 1465->1516 1466->1458 1470 109aee1-109aee6 1468->1470 1471 109af03-109af05 1468->1471 1469->1468 1473 109aee8-109aeef call 109a814 1470->1473 1474 109aef1 1470->1474 1476 109af08-109af0f 1471->1476 1472 109ae5c-109ae5e 1472->1466 1475 109afa0-109afb7 1472->1475 1478 109aef3-109af01 1473->1478 1474->1478 1490 109afb9-109b018 1475->1490 1479 109af1c-109af23 1476->1479 1480 109af11-109af19 1476->1480 1478->1476 1483 109af30-109af39 call 109a824 1479->1483 1484 109af25-109af2d 1479->1484 1480->1479 1488 109af3b-109af43 1483->1488 1489 109af46-109af4b 1483->1489 1484->1483 1488->1489 1491 109af69-109af76 1489->1491 1492 109af4d-109af54 1489->1492 1508 109b01a-109b060 1490->1508 1499 109af99-109af9f 1491->1499 1500 109af78-109af96 1491->1500 1492->1491 1493 109af56-109af66 call 109a834 call 109a844 1492->1493 1493->1491 1500->1499 1510 109b068-109b093 GetModuleHandleW 1508->1510 1511 109b062-109b065 1508->1511 1512 109b09c-109b0b0 1510->1512 1513 109b095-109b09b 1510->1513 1511->1510 1513->1512 1515->1472 1516->1472
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0109B086
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 9ae8bc340e3031059b19231aa35117483cdac59050f4d669f4b9a79ccd9bf5a9
                                              • Instruction ID: 26773bfc2f2d69eeee0934a24e16575bbc32a041ad93075f8fcaf4f718e59217
                                              • Opcode Fuzzy Hash: 9ae8bc340e3031059b19231aa35117483cdac59050f4d669f4b9a79ccd9bf5a9
                                              • Instruction Fuzzy Hash: B97125B0A00B05CFDB64DF69D56479ABBF5FF88300F00896DE48A9BA50DB75E845CB90
                                              Function 01094248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1517 1094248-1095a01 CreateActCtxA 1520 1095a0a-1095a64 1517->1520 1521 1095a03-1095a09 1517->1521 1528 1095a73-1095a77 1520->1528 1529 1095a66-1095a69 1520->1529 1521->1520 1530 1095a79-1095a85 1528->1530 1531 1095a88 1528->1531 1529->1528 1530->1531 1533 1095a89 1531->1533 1533->1533
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 010959F1
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: b3cc3dc8a2c90de41083a4108e6900c9b4b5e6fd0b2b7703ac98de8c2f88ab5e
                                              • Instruction ID: 3ce78393b68074c145e8667460b5de86da49b398f7a085e090ae2e6bcba7d4f7
                                              • Opcode Fuzzy Hash: b3cc3dc8a2c90de41083a4108e6900c9b4b5e6fd0b2b7703ac98de8c2f88ab5e
                                              • Instruction Fuzzy Hash: 3741F2B0C00719CBDB25CFAAC884B9DBBF5FF49304F20806AD408AB255DBB56946CF91
                                              Function 01095935 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1534 1095935-109593c 1535 1095944-1095a01 CreateActCtxA 1534->1535 1537 1095a0a-1095a64 1535->1537 1538 1095a03-1095a09 1535->1538 1545 1095a73-1095a77 1537->1545 1546 1095a66-1095a69 1537->1546 1538->1537 1547 1095a79-1095a85 1545->1547 1548 1095a88 1545->1548 1546->1545 1547->1548 1550 1095a89 1548->1550 1550->1550
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 010959F1
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 3b6f68edf9258c47146f0faa8d512065f99675ff54c271450445bec0732953ce
                                              • Instruction ID: 48cbf4b7e14da7d9226dee6297957a9a91742de833a2715d0828748ede434698
                                              • Opcode Fuzzy Hash: 3b6f68edf9258c47146f0faa8d512065f99675ff54c271450445bec0732953ce
                                              • Instruction Fuzzy Hash: 0A4101B1C00719CEDB25CFAAC888B8DBBF5FF49304F24805AD418AB255DB756946CF91
                                              Function 0109C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0109D2C6,?,?,?,?,?), ref: 0109D387
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 6a64c24bfc04cdcc9bb2dfe43401211e37fda6956b83d50d46120cbda7ca9757
                                              • Instruction ID: db9ac1fd5d89596a30cbbf2efa61f58e5bef0e3fd3c07983011968b0c265cdbc
                                              • Opcode Fuzzy Hash: 6a64c24bfc04cdcc9bb2dfe43401211e37fda6956b83d50d46120cbda7ca9757
                                              • Instruction Fuzzy Hash: 4721E4B5900248EFDB10CF9AD984AEEBFF4EB48310F14845AE958A3310D378A954DFA5
                                              Function 0109D2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0109D2C6,?,?,?,?,?), ref: 0109D387
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 6becb35014cc90909e7ec7175391023d5c32b908ec63ee2560cdcb40e16b7d68
                                              • Instruction ID: db55cb6367210e50fd2ff98789e0789761d78d6cfa6cff2b38d0af72b8802b91
                                              • Opcode Fuzzy Hash: 6becb35014cc90909e7ec7175391023d5c32b908ec63ee2560cdcb40e16b7d68
                                              • Instruction Fuzzy Hash: 0621E0B5D002099FDB10CFAAD985AEEBBF4EB48310F14841AE918A3210D378A944CFA0
                                              Function 06CE7C9C Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,06CE8006), ref: 06CE810E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 54389f8d40e0e1269be3671a3601e3da80bc8deee042cd6f7a0736ab0e2f8b54
                                              • Instruction ID: 5eb3fb533887e981f1da3a3a38b925346436420d83b98bfbc98a0fd4fd5f14c8
                                              • Opcode Fuzzy Hash: 54389f8d40e0e1269be3671a3601e3da80bc8deee042cd6f7a0736ab0e2f8b54
                                              • Instruction Fuzzy Hash: 541123B2D016498FCB20CF9AC944A9EFBF4EF88310F14841AD429B7210C379A545CFA5
                                              Function 06CE80A6 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,06CE8006), ref: 06CE810E
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: ecf9d44e855bf317dc7c76febc0a64188440458a2419677cf4a7cdd36bbf33e6
                                              • Instruction ID: 9c548623d0ccaa5643ec0d326e4cf2af3d7c613d4dc8dad9ca5e7cc822b87e55
                                              • Opcode Fuzzy Hash: ecf9d44e855bf317dc7c76febc0a64188440458a2419677cf4a7cdd36bbf33e6
                                              • Instruction Fuzzy Hash: 0C1132B6C003498FCB20CFAAC944ADEFBF4EF88320F14841AD428A7610C379A545CFA1
                                              Function 0109B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0109B086
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 876b374a4b8127a8715d026a5ac06c5b172b45f6e3a23d89b3d5035eb9fbb9a1
                                              • Instruction ID: 2a810e9e810e30e3152165d760078ceb054acbe7e053b7af3cc2a88e9c1b7f00
                                              • Opcode Fuzzy Hash: 876b374a4b8127a8715d026a5ac06c5b172b45f6e3a23d89b3d5035eb9fbb9a1
                                              • Instruction Fuzzy Hash: BD110FB6C003498FDB20CF9AD444A9EFBF4AB88224F10845AD568B7210C379A545CFA1
                                              Function 0102D3D8 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243360060.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_102d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0402fac784334be42deebeb3aaab8313de13412d914b02ccd2d856986ef3e015
                                              • Instruction ID: 8c89b01e3418afae375fe05af81e96356ddc5d59e8580870c993a316656906f9
                                              • Opcode Fuzzy Hash: 0402fac784334be42deebeb3aaab8313de13412d914b02ccd2d856986ef3e015
                                              • Instruction Fuzzy Hash: B6214871504204DFDB05CF58C9C0F5ABFA5FB84314F20C5A9D9490B216C73AE846C7A1
                                              Function 0103D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243410064.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_103d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba75f3b6ee04933e14a3aa0682cc7db99f5a6a1af87264dd8455b948d455e517
                                              • Instruction ID: 98a45e4f1e58c5e8df4440ce4fd7b0cf02cd0bc1b0c1f3988909dc2797ea3863
                                              • Opcode Fuzzy Hash: ba75f3b6ee04933e14a3aa0682cc7db99f5a6a1af87264dd8455b948d455e517
                                              • Instruction Fuzzy Hash: CF210071604200DFCB15CFA8D980B26FFA9EB84B14F60C9A9E9894B256C33AD406CB61
                                              Function 0103D006 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243410064.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_103d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5920fca1c714efa1c77179d50b0a57a6933d4c16b7dad385b0b96d02ef439afb
                                              • Instruction ID: 8272f8ed498e70b263addfa57a9c8158f82c25dbc50ff39eb71b1ab7f014f7ab
                                              • Opcode Fuzzy Hash: 5920fca1c714efa1c77179d50b0a57a6933d4c16b7dad385b0b96d02ef439afb
                                              • Instruction Fuzzy Hash: D22183755083809FCB03CF64D994711BFB5EB86614F28C5DAD8898F267C33A9856CB62
                                              Function 0102D3D3 Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243360060.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_102d000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction ID: f401428de031f2498ef7a4b790c3d6d45a1993a5c474640b4bbec7092f3da666
                                              • Opcode Fuzzy Hash: 07d586b370810bf15e8d939e07fb0dccd80900219e7a08ccebccaf9c83e80135
                                              • Instruction Fuzzy Hash: 5B110372404280CFDB02CF44D9C4B56BFB1FB84324F24C6A9D9494B617C33AE85ACBA2

                                              Non-executed Functions

                                              Function 06CEDE40 Relevance: 6.6, Strings: 5, Instructions: 380COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2257509109.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_6ce0000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Haq$Haq$Haq$Haq$LR]q
                                              • API String ID: 0-712326898
                                              • Opcode ID: f31c630788c3df43f9f6a6a4449d13093f2a52ea7cdb3074baf537260ad171a6
                                              • Instruction ID: db5963cf61a2418a9448d92c574688da195ab4359283880ed05bc74e7011ed1d
                                              • Opcode Fuzzy Hash: f31c630788c3df43f9f6a6a4449d13093f2a52ea7cdb3074baf537260ad171a6
                                              • Instruction Fuzzy Hash: 8FD1E330F142568FDB59DB75C4542BEBBF2AF89300F14857AE446DB292EB38DA81C790
                                              Function 0109DC74 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000003.00000002.2243724891.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_3_2_1090000_RegAsm.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ed0676639162fc51e91102ecb64a541f830401005ce1f2a6ba328e4aa989aee6
                                              • Instruction ID: 7a02361356bf2bde83b58e501141bb602800cb694c816f145ed38d806ebecb6c
                                              • Opcode Fuzzy Hash: ed0676639162fc51e91102ecb64a541f830401005ce1f2a6ba328e4aa989aee6
                                              • Instruction Fuzzy Hash: 9DA19036E0020A8FCF05DFB8C8505DEBBF2FF84300B1585AAE945AB265DB71E955DB80