Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Jeverly.exe

Overview

General Information

Sample name:Jeverly.exe
Analysis ID:1521300
MD5:e221c44cbccd5d631e95fb0e1a1b1092
SHA1:08407b9ac3dd6effd96ab52dd2ca3569e82fcc1f
SHA256:f682410bcf72767db22da81f75fac2d1c52bc74f692606d2ac1cb26813561213
Tags:exeuser-4k95m
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Jeverly.exe (PID: 3820 cmdline: "C:\Users\user\Desktop\Jeverly.exe" MD5: E221C44CBCCD5D631E95FB0E1A1B1092)
    • conhost.exe (PID: 5200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 7100 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": "185.196.9.26:6302", "Authorization Header": "67bd855e4ce847859f82655be579f403"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              Process Memory Space: Jeverly.exe PID: 3820JoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.2.Jeverly.exe.3985570.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  1.2.Jeverly.exe.3985570.0.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    3.2.RegAsm.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security

                      Sigma Signatures

                      No Sigma rule has matched

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-28T07:28:02.922313+020020432341A Network Trojan was detected185.196.9.266302192.168.2.649711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-28T07:28:02.726618+020020432311A Network Trojan was detected192.168.2.649711185.196.9.266302TCP
                      2024-09-28T07:28:08.032027+020020432311A Network Trojan was detected192.168.2.649711185.196.9.266302TCP
                      2024-09-28T07:28:09.614804+020020432311A Network Trojan was detected192.168.2.649711185.196.9.266302TCP
                      2024-09-28T07:28:09.856662+020020432311A Network Trojan was detected192.168.2.649711185.196.9.266302TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-28T07:28:08.230303+020020460561A Network Trojan was detected185.196.9.266302192.168.2.649711TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-28T07:28:02.726618+020020460451A Network Trojan was detected192.168.2.649711185.196.9.266302TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "185.196.9.26:6302", "Authorization Header": "67bd855e4ce847859f82655be579f403"}
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: Jeverly.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Jeverly.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: c:\rje\tg\gs5y3jk\obj\Release\ojc.pdb source: Jeverly.exe
                      Source: Binary string: c:\rje\tg\gs5y3jk\obj\Release\ojc.pdbX source: Jeverly.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054D8474h3_2_054D81C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054DF483h3_2_054DF250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054DBCEAh3_2_054DB8C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054DC16Ah3_2_054DB8C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054DA187h3_2_054D9A28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-20h]3_2_054D2460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-20h]3_2_054D2190
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054D8097h3_2_054D7CC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054D8097h3_2_054D7CB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 054DDFB9h3_2_054DDFA1

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49711 -> 185.196.9.26:6302
                      Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49711 -> 185.196.9.26:6302
                      Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 185.196.9.26:6302 -> 192.168.2.6:49711
                      Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 185.196.9.26:6302 -> 192.168.2.6:49711
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 185.196.9.26:6302
                      Source: global trafficTCP traffic: 192.168.2.6:49711 -> 185.196.9.26:6302
                      Source: Joe Sandbox ViewIP Address: 185.196.9.26 185.196.9.26
                      Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.196.9.26
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002B7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3ResponseD
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                      Source: RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                      Source: Jeverly.exe, 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: Jeverly.exe, MoveAngles.csLarge array initialization: MoveAngles: array initializer size 307712
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_026DDC743_2_026DDC74
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DE5803_2_054DE580
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D74003_2_054D7400
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D87003_2_054D8700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DD6B83_2_054DD6B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D81C03_2_054D81C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D90583_2_054D9058
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D60803_2_054D6080
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DCF503_2_054DCF50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D69503_2_054D6950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DC9103_2_054DC910
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DB8C83_2_054DB8C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D9A283_2_054D9A28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DE56F3_2_054DE56F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DA4483_2_054DA448
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D86F13_2_054D86F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D03A03_2_054D03A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D03B03_2_054D03B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D5D383_2_054D5D38
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D7CC83_2_054D7CC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054D7CB83_2_054D7CB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DCF403_2_054DCF40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DC9003_2_054DC900
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DB8B73_2_054DB8B7
                      Source: Jeverly.exe, 00000001.00000002.2159167446.00000000039B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameLandings.exe8 vs Jeverly.exe
                      Source: Jeverly.exe, 00000001.00000002.2156476875.000000000087E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Jeverly.exe
                      Source: Jeverly.exe, 00000001.00000000.2146390332.0000000000280000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVQP.exeD vs Jeverly.exe
                      Source: Jeverly.exeBinary or memory string: OriginalFilenameVQP.exeD vs Jeverly.exe
                      Source: Jeverly.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Jeverly.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/2@0/1
                      Source: C:\Users\user\Desktop\Jeverly.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jeverly.exe.logJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5200:120:WilError_03
                      Source: Jeverly.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Jeverly.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                      Source: C:\Users\user\Desktop\Jeverly.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002D8B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: unknownProcess created: C:\Users\user\Desktop\Jeverly.exe "C:\Users\user\Desktop\Jeverly.exe"
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Jeverly.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Jeverly.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Jeverly.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\rje\tg\gs5y3jk\obj\Release\ojc.pdb source: Jeverly.exe
                      Source: Binary string: c:\rje\tg\gs5y3jk\obj\Release\ojc.pdbX source: Jeverly.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_054DF577 push eax; ret 3_2_054DF581
                      Source: Jeverly.exeStatic PE information: section name: .text entropy: 7.993833961990217
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2670000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1562Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exe TID: 3352Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 616Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5804Thread sleep count: 1562 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2104Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Jeverly.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: RegAsm.exe, 00000003.00000002.2256909825.0000000000EDF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2257875327.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002CAD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002A1D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002941000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003A75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: RegAsm.exe, 00000003.00000002.2265818725.0000000003B4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      .NET source code references suspicious native API functions
                      Source: Jeverly.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                      Source: Jeverly.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                      Source: Jeverly.exe, Program.csReference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\Jeverly.exeCode function: 1_2_02982145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,1_2_02982145
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 830008Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Jeverly.exeQueries volume information: C:\Users\user\Desktop\Jeverly.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.Jeverly.exe.3985570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Jeverly.exe.3985570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Jeverly.exe PID: 3820, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7100, type: MEMORYSTR
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                      Source: Yara matchFile source: 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7100, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.Jeverly.exe.3985570.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.Jeverly.exe.3985570.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Jeverly.exe PID: 3820, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7100, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		411
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		221
                      Security Software Discovery                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)241
                      Virtualization/Sandbox Evasion                      		Security Account Manager241
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                      Obfuscated Files or Information                      		LSA Secrets113
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      No Antivirus matches

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.210.172
                      		truefalse
                        		unknown
                        fp2e7a.wpc.phicdn.net
                        		192.229.221.95
                        		truefalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          185.196.9.26:6302true
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/02/sc/sctRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://tempuri.org/Entity/Id23ResponseDRegAsm.exe, 00000003.00000002.2257875327.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://tempuri.org/Entity/Id12ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://tempuri.org/Entity/Id2ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://tempuri.org/Entity/Id21ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tempuri.org/Entity/Id9RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/Entity/Id8RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://tempuri.org/Entity/Id5RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://tempuri.org/Entity/Id4RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://tempuri.org/Entity/Id7RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://tempuri.org/Entity/Id6RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://tempuri.org/Entity/Id19ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/faultRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsatRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://tempuri.org/Entity/Id15ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://tempuri.org/Entity/Id6ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              https://api.ip.sb/ipJeverly.exe, 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/04/scRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://tempuri.org/Entity/Id1ResponseDRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Entity/Id9ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://tempuri.org/Entity/Id20RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id21RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://tempuri.org/Entity/Id22RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id23RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002B7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://tempuri.org/Entity/Id24RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id24ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id1ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressingRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trustRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://tempuri.org/Entity/Id10RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://tempuri.org/Entity/Id11RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://tempuri.org/Entity/Id12RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://tempuri.org/Entity/Id16ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://tempuri.org/Entity/Id13RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://tempuri.org/Entity/Id14RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://tempuri.org/Entity/Id15RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://tempuri.org/Entity/Id16RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trust/NonceRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://tempuri.org/Entity/Id17RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://tempuri.org/Entity/Id18RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://tempuri.org/Entity/Id5ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://tempuri.org/Entity/Id19RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://tempuri.org/Entity/Id10ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RenewRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://tempuri.org/Entity/Id8ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2006/02/addressingidentityRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/RegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2005/02/trustRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wsat/RollbackRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://tempuri.org/Entity/Id3ResponseDRegAsm.exe, 00000003.00000002.2257875327.0000000002BBE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://tempuri.org/Entity/Id23ResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCTRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://tempuri.org/DRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/06/addressingexRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wscoorRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/NonceRegAsm.exe, 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/faultRegAsm.exe, 00000003.00000002.2257875327.00000000027F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		unknown

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            185.196.9.26
                                                                                                                                                                                                                            		unknownSwitzerland
                                                                                                                                                                                                                            		42624SIMPLECARRIERCHtrue

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1521300
                                                                                                                                                                                                                            Start date and time:2024-09-28 07:27:05 +02:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 2m 54s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:5
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:Jeverly.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@4/2@0/1
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 99%
                                                                                                                                                                                                                            • Number of executed functions: 32
                                                                                                                                                                                                                            • Number of non-executed functions: 13
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe
                                                                                                                                                                                                                            • Stop behavior analysis, all processes terminated

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
                                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 20.12.23.50, 52.165.164.15
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                            • VT rate limit hit for: Jeverly.exe

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            01:28:07API Interceptor9x Sleep call for process: RegAsm.exe modified

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            185.196.9.26by_execute.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                              Shark#U041ePShC.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                GipsonyVelo.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                  sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                    HotYVOv1.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      sloppyCatsV1.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                        UltraViolince.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                          GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                            GTA 5 Mod Menu.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                              UIExecutor.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                bg.microsoft.map.fastly.nethttp://www.rb.gy/3izvmd/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 199.232.210.172
                                                                                                                                                                                                                                                http://https-mail-tiscali-it-emam.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                http://dhl-tracking-au.blogspot.mk/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                https://dhl-tracking-au.blogspot.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 199.232.210.172
                                                                                                                                                                                                                                                http://98t87.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                https://conbassprox-lgoinz.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                https://bt-107835.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 199.232.210.172
                                                                                                                                                                                                                                                https://att-104249.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                https://att-104427.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 199.232.214.172
                                                                                                                                                                                                                                                https://att-103033.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 199.232.210.172
                                                                                                                                                                                                                                                fp2e7a.wpc.phicdn.nethttp://www.rb.gy/3izvmd/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                https://dev-432403949340149124012.pantheonsite.io/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                http://https-mail-tiscali-it-emam.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                http://dhl-tracking-au.blogspot.mk/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                http://att-104522.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                https://dhl-tracking-au.blogspot.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                http://98t87.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                https://conbassprox-lgoinz.godaddysites.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                http://assfgtgggrg.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                                                                                https://att-104249.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 192.229.221.95

                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                SIMPLECARRIERCHby_execute.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                • 185.196.9.26
                                                                                                                                                                                                                                                Shark#U041ePShC.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                • 185.196.9.26
                                                                                                                                                                                                                                                GipsonyVelo.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                • 185.196.9.26
                                                                                                                                                                                                                                                sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                • 185.196.9.26
                                                                                                                                                                                                                                                zrOUNP9gMJ.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                                                                                                • 185.196.10.235
                                                                                                                                                                                                                                                Or3dzp4vB1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                • 185.196.10.235
                                                                                                                                                                                                                                                KAV3vJud90.exeGet hashmaliciousDarkVision RatBrowse
                                                                                                                                                                                                                                                • 185.196.10.235
                                                                                                                                                                                                                                                updater.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                                                                                                                                                                • 185.196.11.237
                                                                                                                                                                                                                                                HotYVOv1.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                                • 185.196.9.26
                                                                                                                                                                                                                                                VtkzI2DleKAWijQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                                • 185.196.9.150

                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Jeverly.exe.log

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\Jeverly.exe
                                                                                                                                                                                                                                                File Type:CSV text
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):425
                                                                                                                                                                                                                                                Entropy (8bit):5.353683843266035
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                                                                                                                                                                                                                                                MD5:859802284B12C59DDBB85B0AC64C08F0
                                                                                                                                                                                                                                                SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                                                                                                                                                                                                                                                SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                                                                                                                                                                                                                                                SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):3094
                                                                                                                                                                                                                                                Entropy (8bit):5.33145931749415
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
                                                                                                                                                                                                                                                MD5:3FD5C0634443FB2EF2796B9636159CB6
                                                                                                                                                                                                                                                SHA1:366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
                                                                                                                                                                                                                                                SHA-256:58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
                                                                                                                                                                                                                                                SHA-512:8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                Entropy (8bit):7.985661590100756
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                                                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                                                                                File name:Jeverly.exe
                                                                                                                                                                                                                                                File size:317'952 bytes
                                                                                                                                                                                                                                                MD5:e221c44cbccd5d631e95fb0e1a1b1092
                                                                                                                                                                                                                                                SHA1:08407b9ac3dd6effd96ab52dd2ca3569e82fcc1f
                                                                                                                                                                                                                                                SHA256:f682410bcf72767db22da81f75fac2d1c52bc74f692606d2ac1cb26813561213
                                                                                                                                                                                                                                                SHA512:0bccf86582cb1b1ad5c9d46920c89f09f0aa57be56374604ca0ed26b50ebb128d58a847b629ab916da3415f90f2db91e9a1c3295f6d4bdf1e817feaf2488a14c
                                                                                                                                                                                                                                                SSDEEP:6144:aax3DFQOjjaFBAmBeSfP91wkNjslmYwSTtHvzJu+m6dO3hrp:FDemalHjNjslmYl9v8OORr
                                                                                                                                                                                                                                                TLSH:986423B19AC156C0DB7087FC4E7B2974DAAFF15CDAF27F5D81944A0215CAAB20091BB3
                                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=.f............................~.... ........@.. .......................@............`................................

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Entrypoint:0x44ee7e
                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                Subsystem:windows cui
                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                Time Stamp:0x66F73D03 [Fri Sep 27 23:17:23 2024 UTC]
                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                OS Version Major:4
                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                File Version Major:4
                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                Subsystem Version Major:4
                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x4ee300x4b.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x5c8.rsrc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x520000xc.reloc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x4ecf80x1c.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                .text0x20000x4ce840x4d000d7d712d3db135d8930f5d0e33cc83ff2False0.992716999797078data7.993833961990217IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .rsrc0x500000x5c80x60068f544591fce342af9e6fa73bcad1819False0.435546875data4.111096590207842IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .reloc0x520000xc0x200ebcf604fd87598107d0fe541e7d6aed6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                Resources

                                                                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                RT_VERSION0x500a00x334data0.4426829268292683
                                                                                                                                                                                                                                                RT_MANIFEST0x503d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                2024-09-28T07:28:02.726618+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649711185.196.9.266302TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:02.726618+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.649711185.196.9.266302TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:02.922313+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response1185.196.9.266302192.168.2.649711TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:08.032027+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649711185.196.9.266302TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:08.230303+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)1185.196.9.266302192.168.2.649711TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:09.614804+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649711185.196.9.266302TCP
                                                                                                                                                                                                                                                2024-09-28T07:28:09.856662+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.649711185.196.9.266302TCP

                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.031917095 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.037030935 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.037128925 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.045274019 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.050328016 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.695628881 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.726618052 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.731578112 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.922312975 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:02.965346098 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.032027006 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.036997080 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230206966 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230221033 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230232000 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230284929 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230303049 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230315924 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230325937 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230448961 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:08.230448961 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.247692108 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.252737999 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.252883911 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.252958059 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253014088 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253113985 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253143072 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253165007 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253191948 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253242970 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253293037 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253319979 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253348112 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253360987 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253375053 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253457069 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.253504992 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258387089 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258528948 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258557081 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258584023 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258654118 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258723021 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258734941 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258747101 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.258758068 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.613794088 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.614804029 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.619673014 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.811786890 CEST630249711185.196.9.26192.168.2.6
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.855941057 CEST497116302192.168.2.6185.196.9.26
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:09.856662035 CEST497116302192.168.2.6185.196.9.26

                                                                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:15.557420969 CEST1.1.1.1192.168.2.60x8bcNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:15.557420969 CEST1.1.1.1192.168.2.60x8bcNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:17.092367887 CEST1.1.1.1192.168.2.60x36d8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                Sep 28, 2024 07:28:17.092367887 CEST1.1.1.1192.168.2.60x36d8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:1
                                                                                                                                                                                                                                                Start time:01:27:58
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\Jeverly.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\Jeverly.exe"
                                                                                                                                                                                                                                                Imagebase:0x230000
                                                                                                                                                                                                                                                File size:317'952 bytes
                                                                                                                                                                                                                                                MD5 hash:E221C44CBCCD5D631E95FB0E1A1B1092
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.2159167446.0000000003985000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                Start time:01:27:58
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                Start time:01:27:58
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                                                                Imagebase:0x660000
                                                                                                                                                                                                                                                File size:65'440 bytes
                                                                                                                                                                                                                                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2254599428.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000003.00000002.2257875327.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:37.6%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                  Signature Coverage:40%
                                                                                                                                                                                                                                                  Total number of Nodes:15
                                                                                                                                                                                                                                                  Total number of Limit Nodes:0

                                                                                                                                                                                                                                                  Callgraph

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 02982145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282threadinjectionmemoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029820B7,029820A7), ref: 029822B4
                                                                                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029822C7
                                                                                                                                                                                                                                                  • Wow64GetThreadContext.KERNEL32(000002F8,00000000), ref: 029822E5
                                                                                                                                                                                                                                                  • ReadProcessMemory.KERNELBASE(000002FC,?,029820FB,00000004,00000000), ref: 02982309
                                                                                                                                                                                                                                                  • VirtualAllocEx.KERNELBASE(000002FC,?,?,00003000,00000040), ref: 02982334
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(000002FC,00000000,?,?,00000000,?), ref: 0298238C
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(000002FC,00400000,?,?,00000000,?,00000028), ref: 029823D7
                                                                                                                                                                                                                                                  • WriteProcessMemory.KERNELBASE(000002FC,-00000008,?,00000004,00000000), ref: 02982415
                                                                                                                                                                                                                                                  • Wow64SetThreadContext.KERNEL32(000002F8,00BA0000), ref: 02982451
                                                                                                                                                                                                                                                  • ResumeThread.KERNELBASE(000002F8), ref: 02982460
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000001.00000002.2157522083.0000000002981000.00000040.00000800.00020000.00000000.sdmp, Offset: 02981000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_2981000_Jeverly.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
                                                                                                                                                                                                                                                  • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
                                                                                                                                                                                                                                                  • API String ID: 2687962208-1257834847
                                                                                                                                                                                                                                                  • Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                                                                                                                                  • Instruction ID: 98feeea414db61641ddec09bd1e11841f4d44fb936d7e2cd9f92b190bee6c931
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F1B1E77664028AAFDB60CF68CC80BDA77A5FF88714F158514EA0CAB341D774FA41CB94
                                                                                                                                                                                                                                                  Function 00B81271 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 142 b81271-b81305 VirtualProtectEx 146 b8130c-b8132d 142->146 147 b81307 142->147 147->146
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00B812F8
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000001.00000002.2156641131.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_b80000_Jeverly.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                                                                                  • Opcode ID: af89ef29b30bc385349eba95d2a808e935669010f6a21311b21ac8fef1a3e105
                                                                                                                                                                                                                                                  • Instruction ID: 4212125ede53aa585284cb19757cb37729de7ca02a85de46c6322526a89017d2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: af89ef29b30bc385349eba95d2a808e935669010f6a21311b21ac8fef1a3e105
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 462112B1801249DFDB20DFAAC881AEEBBF4FF48310F10851AE519A3250C7B59915CBA1
                                                                                                                                                                                                                                                  Function 00B81278 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 150 b81278-b81305 VirtualProtectEx 153 b8130c-b8132d 150->153 154 b81307 150->154 154->153
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00B812F8
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000001.00000002.2156641131.0000000000B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B80000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_1_2_b80000_Jeverly.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ProtectVirtual
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 544645111-0
                                                                                                                                                                                                                                                  • Opcode ID: 8ef7a8a67f654279af3579d642970d6f767eb9941d92a71e77033fddac6a501d
                                                                                                                                                                                                                                                  • Instruction ID: 554f20b08936e013a0552cc5cd33acbeb3c21ae654bcdc46edafecf749884f9f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8ef7a8a67f654279af3579d642970d6f767eb9941d92a71e77033fddac6a501d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2221E3B5901349DFDB10DFAAC881ADEFBF4FF48710F10842AE919A7250C7B5A911CBA5

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:13.3%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                                  Total number of Nodes:30
                                                                                                                                                                                                                                                  Total number of Limit Nodes:4
                                                                                                                                                                                                                                                  execution_graph 25597 26d4668 25598 26d4684 25597->25598 25599 26d4696 25598->25599 25601 26d47a0 25598->25601 25602 26d47ab 25601->25602 25606 26d48af 25602->25606 25610 26d48b0 25602->25610 25608 26d48d7 25606->25608 25607 26d49b4 25608->25607 25614 26d4248 25608->25614 25612 26d48d7 25610->25612 25611 26d49b4 25611->25611 25612->25611 25613 26d4248 CreateActCtxA 25612->25613 25613->25611 25615 26d5940 CreateActCtxA 25614->25615 25617 26d5a03 25615->25617 25624 26dd0b8 25625 26dd0fe GetCurrentProcess 25624->25625 25627 26dd150 GetCurrentThread 25625->25627 25630 26dd149 25625->25630 25628 26dd18d GetCurrentProcess 25627->25628 25629 26dd186 25627->25629 25631 26dd1c3 25628->25631 25629->25628 25630->25627 25632 26dd1eb GetCurrentThreadId 25631->25632 25633 26dd21c 25632->25633 25618 26db020 25619 26db068 GetModuleHandleW 25618->25619 25620 26db062 25618->25620 25621 26db095 25619->25621 25620->25619 25622 26dd300 DuplicateHandle 25623 26dd396 25622->25623

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 054DD6B8 Relevance: .5, Instructions: 525COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 493 54dd6b8-54dd6e3 494 54dd6ea-54dd793 493->494 495 54dd6e5 493->495 500 54dd795-54dd7df 494->500 501 54dd7e2-54dd81a 494->501 495->494 500->501 506 54de002-54de015 501->506 509 54dd81f-54dd9d6 call 54dcf50 506->509 510 54de01b-54de041 506->510 536 54ddfba-54ddfd4 509->536 512 54de050 510->512 513 54de043-54de04f 510->513 516 54de051 512->516 513->512 516->516 538 54dd9db-54ddade call 54d35a8 call 54d35b8 536->538 539 54ddfda-54ddffe 536->539 554 54ddb3f-54ddbb4 538->554 555 54ddae0-54ddb3a 538->555 539->506 567 54ddbd7-54ddbe3 554->567 568 54ddbb6-54ddbd5 554->568 564 54ddbf6-54ddc1b 555->564 569 54ddf9d-54ddfb9 564->569 570 54ddc21-54ddcd8 564->570 575 54ddbe9-54ddbf5 567->575 568->575 569->536 582 54ddf9c 570->582 583 54ddcde-54ddd02 570->583 575->564 582->569 585 54ddf4d-54ddf66 583->585 587 54ddf6c-54ddf89 585->587 588 54ddd07-54ddd80 call 54d8da0 585->588 591 54ddf98 587->591 592 54ddf8b-54ddf97 587->592 598 54ddd87-54dde5b 588->598 599 54ddd82 588->599 591->582 592->591 609 54dde66-54ddf4c call 54da290 598->609 599->598 609->585
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b9b4ac53be8fd3e82bf177faf7a3846f42e3aa55aafbb2bb51ac322831e8dc98
                                                                                                                                                                                                                                                  • Instruction ID: 230099da82aca27cce8724f0c49a1f8d4483466f97f937cc8ec1f01ac937c3f6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b9b4ac53be8fd3e82bf177faf7a3846f42e3aa55aafbb2bb51ac322831e8dc98
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 17429F74E01229CFDB64DF64C894BEEBBB2BB89300F1081EAD509AB254DB755E85CF50
                                                                                                                                                                                                                                                  Function 054DB8C8 Relevance: .5, Instructions: 496COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 621 54db8c8-54db8e8 622 54db8ef-54db9e4 621->622 623 54db8ea 621->623 632 54db9eb-54dba19 622->632 633 54db9e6 622->633 623->622 635 54dbdc1-54dbdca 632->635 633->632 636 54dba1e-54dba27 635->636 637 54dbdd0-54dbe52 635->637 638 54dba2e-54dbb0f call 54db0b8 call 54d189c 636->638 639 54dba29 636->639 651 54dbe59-54dbe87 637->651 652 54dbe54 637->652 672 54dbb14-54dbb48 638->672 639->638 656 54dc244-54dc24d 651->656 652->651 657 54dbe8c-54dbe95 656->657 658 54dc253-54dc283 656->658 661 54dbe9c-54dbf7d call 54db0b8 call 54d189c 657->661 662 54dbe97 657->662 698 54dbf82-54dbfb6 661->698 662->661 676 54dbceb-54dbcff 672->676 679 54dbb4d-54dbbe5 call 54d18ac 676->679 680 54dbd05-54dbd22 676->680 702 54dbbe7-54dbbff 679->702 703 54dbc01 679->703 684 54dbd24-54dbd30 680->684 685 54dbd31-54dbd32 680->685 684->685 685->635 704 54dc16b-54dc17f 698->704 705 54dbc07-54dbc28 702->705 703->705 710 54dbfbb-54dc059 call 54d18ac 704->710 711 54dc185-54dc1a2 704->711 708 54dbc2e-54dbca9 call 54d18ac 705->708 709 54dbcda-54dbcea 705->709 730 54dbcab-54dbcc3 708->730 731 54dbcc5 708->731 709->676 734 54dc05b-54dc073 710->734 735 54dc075 710->735 715 54dc1a4-54dc1b0 711->715 716 54dc1b1-54dc1b2 711->716 715->716 716->656 733 54dbccb-54dbcd9 730->733 731->733 733->709 736 54dc07b-54dc09c 734->736 735->736 739 54dc157-54dc16a 736->739 740 54dc0a2-54dc126 call 54d18ac 736->740 739->704 748 54dc128-54dc140 740->748 749 54dc142 740->749 750 54dc148-54dc156 748->750 749->750 750->739
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d844b1da6adc8c7ea6fb1e8eccde4a444a5a6a8157b6e46ed6aff81e550e8e15
                                                                                                                                                                                                                                                  • Instruction ID: f77bfe1cfbf0b8a32424744132465463c637ba1cb144301b746c9b582f1207ad
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d844b1da6adc8c7ea6fb1e8eccde4a444a5a6a8157b6e46ed6aff81e550e8e15
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08328F74A01228CFDB64DF65C894BEEB7B2BF89300F5081EAD509AB255DB359E81CF50
                                                                                                                                                                                                                                                  Function 054D9A28 Relevance: .4, Instructions: 426COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 752 54d9a28-54d9a53 753 54d9a5a-54d9b83 call 54d188c call 54d189c 752->753 754 54d9a55 752->754 768 54da188-54da19c 753->768 754->753 770 54d9b88-54d9b8e 768->770 771 54da1a2-54da1bf 768->771 773 54d9b95-54d9ba2 770->773 774 54da1ce 771->774 775 54da1c1-54da1cd 771->775 776 54d9bcc 773->776 777 54d9ba4-54d9bb0 773->777 778 54da1cf 774->778 775->774 781 54d9bd2-54d9c54 call 54d18ac 776->781 779 54d9bba-54d9bc0 777->779 780 54d9bb2-54d9bb8 777->780 778->778 783 54d9bca 779->783 780->783 790 54d9c56-54d9c5f 781->790 791 54d9c61-54d9c6b 781->791 783->781 792 54d9c71-54d9c81 790->792 791->792 794 54d9c9e-54d9ca5 792->794 795 54d9c83-54d9c98 792->795 796 54d9ceb-54d9cfa 794->796 797 54d9ca7-54d9ce5 794->797 795->794 800 54d9f09 795->800 802 54d9efc-54d9efe 796->802 803 54d9d00-54d9dd2 call 54d18ac 796->803 797->796 797->800 804 54d9f10-54d9f1b 800->804 806 54d9f01-54d9f07 802->806 825 54d9e18-54d9e7d 803->825 826 54d9dd4-54d9e16 803->826 807 54da174-54da187 804->807 808 54d9f21-54d9ff4 call 54d18ac 804->808 806->804 807->768 829 54da018-54da03a 808->829 830 54d9ff6-54da016 808->830 828 54d9e82-54d9ec3 825->828 826->828 837 54d9ecd-54d9ecf 828->837 838 54d9ec5-54d9ecb 828->838 832 54da040-54da0f3 call 54d18ac 829->832 830->832 848 54da0f5-54da115 832->848 849 54da117-54da139 832->849 840 54d9ed6-54d9efa 837->840 838->837 839 54d9ed1 838->839 839->840 840->806 850 54da13f-54da173 848->850 849->850 850->807
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 3059e209174481ab09bae99b580cf7ec25f4705eb80cc5070ec1e136c556c32e
                                                                                                                                                                                                                                                  • Instruction ID: 269378085bd31e73093ab1044da326dcc046addb70853900121a2aae74162fef
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3059e209174481ab09bae99b580cf7ec25f4705eb80cc5070ec1e136c556c32e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A228B74E01229CFDB64DF65C894BD9B7B2BF89300F1085EAD509AB250EB71AE85CF50
                                                                                                                                                                                                                                                  Function 054D7400 Relevance: .4, Instructions: 400COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 855 54d7400-54d7420 856 54d7427-54d75b5 call 54d52ec call 54d188c call 54d189c 855->856 857 54d7422 855->857 876 54d7b05-54d7b19 856->876 857->856 878 54d7b1f-54d7b3c 876->878 879 54d75ba-54d75c0 876->879 882 54d7b3e-54d7b4a 878->882 883 54d7b4b 878->883 881 54d75c7-54d75d4 879->881 884 54d75fe 881->884 885 54d75d6-54d75e2 881->885 882->883 888 54d7b4c 883->888 887 54d7604-54d7730 call 54d18ac 884->887 889 54d75ec-54d75f2 885->889 890 54d75e4-54d75ea 885->890 904 54d775a-54d7782 887->904 905 54d7732-54d7758 887->905 888->888 891 54d75fc 889->891 890->891 891->887 906 54d7788-54d78a1 call 54d18ac 904->906 905->906 920 54d78d7-54d790b 906->920 921 54d78a3-54d78d5 906->921 922 54d7911-54d7a36 call 54d18ac 920->922 921->922 936 54d7a38-54d7a70 922->936 937 54d7a72-54d7aaf 922->937 938 54d7ab5-54d7b04 936->938 937->938 938->876
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 6f7c6aa98a19c3ffd75f2b2702062193515d7622a7f55fe9ff45e8b358aaeb6a
                                                                                                                                                                                                                                                  • Instruction ID: ee63791dcdf79727c83edbdae5d5ec76e480b7354ff7611bf33cf520b387d626
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f7c6aa98a19c3ffd75f2b2702062193515d7622a7f55fe9ff45e8b358aaeb6a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD223774E012288FDB64DF68C994BDDBBB2BB89300F1081EAD509AB350DB719E85CF50
                                                                                                                                                                                                                                                  Function 054D9058 Relevance: .4, Instructions: 363COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: bead24d7b2560acd1a963ff197d20d2f817a7365d7030b7555c745e21c08951c
                                                                                                                                                                                                                                                  • Instruction ID: 346f9eb9c642484e333788dc0f431b90772c2ac63d7a2c1af4553feedc874642
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bead24d7b2560acd1a963ff197d20d2f817a7365d7030b7555c745e21c08951c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B02AE74A01228CFDB68DF64C894B9DBBB2BF89300F5085E9D509A7355DB71AE82CF50
                                                                                                                                                                                                                                                  Function 054DC910 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 19284af970b53d9629a8687c51937a80bf049ffc0ef7c9f59f9ab6c6d1c7892b
                                                                                                                                                                                                                                                  • Instruction ID: 2382fd6cdea67acfd0da5777bbab3c08fc600e31958714294ed22f39b818bde0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 19284af970b53d9629a8687c51937a80bf049ffc0ef7c9f59f9ab6c6d1c7892b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 74F1C274A01269CFDB68DF64C890BEEBBB2BF89300F1085A9D509AB355DB315E81CF50
                                                                                                                                                                                                                                                  Function 054D8700 Relevance: .3, Instructions: 287COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b94a1b0306c3655057ac5e74267dd42e438764cb8d6cc9bc5acf7e03b1293d49
                                                                                                                                                                                                                                                  • Instruction ID: 43f7d339601846d466c37e84b4a475561550fe1f4c538417ce23e0c705790d4a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b94a1b0306c3655057ac5e74267dd42e438764cb8d6cc9bc5acf7e03b1293d49
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BED18F74E05218CFDB64CFA9D994B9DFBB2BF89300F1081AAD409A7355DB349982CF50
                                                                                                                                                                                                                                                  Function 054DE580 Relevance: .3, Instructions: 286COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 41c413246265cd2ece2bc94136b224fa085cac4d6c0a69e50d6844cfacfec43d
                                                                                                                                                                                                                                                  • Instruction ID: fbcf9f1067d18df66980e00f9a858d7ae1595a946c89c8df924ec9a0945f355b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41c413246265cd2ece2bc94136b224fa085cac4d6c0a69e50d6844cfacfec43d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D6D1BF74E01218CFDB64DFA5D894B9DFBB2BF49300F6091AAD409AB391DB309982CF50
                                                                                                                                                                                                                                                  Function 054D6080 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 1e1110af5d5afbb9ac63125900bc0b340cf9077ac6e0f8455522c281b406e38d
                                                                                                                                                                                                                                                  • Instruction ID: b1636422f4dd4034670deb483144fbd92643a58de1089e046d853b37fe6153c3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e1110af5d5afbb9ac63125900bc0b340cf9077ac6e0f8455522c281b406e38d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3FB14970E002098FDF14CFA9C9957EEFBF2BF88714F15812AD815A7254EB749846CB91
                                                                                                                                                                                                                                                  Function 054DCF50 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a66f07e83fb2810e66a6325fd37720b200be6878faea4dc6f473ca2deb4ae5ef
                                                                                                                                                                                                                                                  • Instruction ID: 1b2a329646642cdc4ed3f315032f57923e7d7963babba82eb8f4b3dfd10267b2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a66f07e83fb2810e66a6325fd37720b200be6878faea4dc6f473ca2deb4ae5ef
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 22C1B370D01229CBDB68DF65C854BDEFBB2BF89300F1081EAD509AB254DB759A85CF60
                                                                                                                                                                                                                                                  Function 054D6950 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: cb55291e4b653477a3e66f76c56a8d27c2e3bc0e7bbcd5d4ca29f4b32b272dce
                                                                                                                                                                                                                                                  • Instruction ID: dc6b7b3217f67fa9c1a5a4aa1e3cf45e76495a206b1776b4f90411a1f9706017
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb55291e4b653477a3e66f76c56a8d27c2e3bc0e7bbcd5d4ca29f4b32b272dce
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0CB16A71E002198FDB10CFA9C9A57EEFBF2BF88710F25812AD815A7354EB749845CB91
                                                                                                                                                                                                                                                  Function 054DC900 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 2692c6acf6b24edb192819bbe556b8a9b428540f307f0cc31187ff13ed95a5f4
                                                                                                                                                                                                                                                  • Instruction ID: 852cf0c8102049b70be30dad3d4b29ee91d630697d858decc07240b0defd03cc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2692c6acf6b24edb192819bbe556b8a9b428540f307f0cc31187ff13ed95a5f4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9A1F674E01258CFEB24DFA4C854BAEBBB2BF88300F2081AAD5096B355DB745E85CF50
                                                                                                                                                                                                                                                  Function 054D81C0 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: de9c3eeeba6e9cac1964e8819a2643d728a05d913f02fecf26dca4dfd7cb382d
                                                                                                                                                                                                                                                  • Instruction ID: ad5f38f99ab28e8216cfbd97f7c2e02e676c527bfa039510287117619e0870a6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de9c3eeeba6e9cac1964e8819a2643d728a05d913f02fecf26dca4dfd7cb382d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7A1D574E00218CFDB68DFA5C854BAEBBB2FF89300F1081AAD509AB355DB705A85CF51
                                                                                                                                                                                                                                                  Function 054DCF40 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 5112ce6809a80c221b6e4783d3d8072e93df542ca803781d55856eadfa3fa400
                                                                                                                                                                                                                                                  • Instruction ID: db7e990d52dd1fbd9925624bdb4c1b19bfcca9123cf94eeca63c97a9191e644e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5112ce6809a80c221b6e4783d3d8072e93df542ca803781d55856eadfa3fa400
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7291B370E01229CBEB68DF65C954BDEBBB2BF88300F1081EAC519AB254DB755E85CF50
                                                                                                                                                                                                                                                  Function 054DF250 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ae2cb3284a65e65abe09b24bcca8815ca54cf8de1cfdc509088f2a028c110012
                                                                                                                                                                                                                                                  • Instruction ID: 1deea3d54004e46da5e837d39476c0e66c6c4207a8e7a0ff23482c41fe01f702
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae2cb3284a65e65abe09b24bcca8815ca54cf8de1cfdc509088f2a028c110012
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B271F274E01218DFDB28DFA5D894AEDFBB2BF89300F20846AD416AB354DB349846CF54
                                                                                                                                                                                                                                                  Function 026DD0A8 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 026DD136
                                                                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 026DD173
                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 026DD1B0
                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 026DD209
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                                                                                                  • Opcode ID: 55d9b5ed9da87588a7cf1b00ba4bdcd2b28802e7cc7a035d141077659c35ddc9
                                                                                                                                                                                                                                                  • Instruction ID: be156ebebbbdd948a627465ab29d7ba8b0fec6a63aaf88ae1ab78f4fc865461e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 55d9b5ed9da87588a7cf1b00ba4bdcd2b28802e7cc7a035d141077659c35ddc9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D45157B1D003498FDB54DFAAD948B9EBBF1FF88314F208459E019A7390DB78A944CB65
                                                                                                                                                                                                                                                  Function 026DD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 026DD136
                                                                                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 026DD173
                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 026DD1B0
                                                                                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 026DD209
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Current$ProcessThread
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2063062207-0
                                                                                                                                                                                                                                                  • Opcode ID: b25c5e97b8e1a253a3c221567d93fec9817312a30c45f433fb533110c9bb0a59
                                                                                                                                                                                                                                                  • Instruction ID: 1e68467fa901aed68692614229a3153fe8f3d21d27f80ffba546245c0651780a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b25c5e97b8e1a253a3c221567d93fec9817312a30c45f433fb533110c9bb0a59
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB5146B1D002498FDB14DFAAD948B9EBBF1FF88314F208459E019A7350DB74A944CB65
                                                                                                                                                                                                                                                  Function 026D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 44 26d4248-26d5a01 CreateActCtxA 47 26d5a0a-26d5a64 44->47 48 26d5a03-26d5a09 44->48 55 26d5a66-26d5a69 47->55 56 26d5a73-26d5a77 47->56 48->47 55->56 57 26d5a79-26d5a85 56->57 58 26d5a88 56->58 57->58 60 26d5a89 58->60 60->60
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 026D59F1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: 0d04b32c964a70e214d5d0ebb2e0a8335daf9f83e86dfeb0fa782a45130fef6f
                                                                                                                                                                                                                                                  • Instruction ID: a29d1b2981aaf566d7533f06d30040a78d01fbc9bcfeaffc6988372986503512
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d04b32c964a70e214d5d0ebb2e0a8335daf9f83e86dfeb0fa782a45130fef6f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4841E170C0072DCBEB24CFA9C944B9DBBB5FF45704F64806AD409AB251DB756949CF90
                                                                                                                                                                                                                                                  Function 026D593B Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 61 26d593b 62 26d5944-26d5a01 CreateActCtxA 61->62 64 26d5a0a-26d5a64 62->64 65 26d5a03-26d5a09 62->65 72 26d5a66-26d5a69 64->72 73 26d5a73-26d5a77 64->73 65->64 72->73 74 26d5a79-26d5a85 73->74 75 26d5a88 73->75 74->75 77 26d5a89 75->77 77->77
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 026D59F1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: 0e4fc92fe989e8166f343d7da1355a3989ece4f572ae81742dab7cc9beababac
                                                                                                                                                                                                                                                  • Instruction ID: 6d96573704d4ddd0c4677108433e08924de8fd5b9a8ce4cd367adf154d24f43d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0e4fc92fe989e8166f343d7da1355a3989ece4f572ae81742dab7cc9beababac
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6941F170C0072DCBEB24CFA9C984B8DBBB1BF44704F24805AD409BB251DB756949CF90
                                                                                                                                                                                                                                                  Function 026DD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 78 26dd2f9-26dd394 DuplicateHandle 79 26dd39d-26dd3ba 78->79 80 26dd396-26dd39c 78->80 80->79
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026DD387
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: 60b1d462c788d1af7e4e998b93fb5257d2048a2bb02adb2f692ffb128e4065e1
                                                                                                                                                                                                                                                  • Instruction ID: 3950936c84e6b6b6630a9f416a6c67055a81fab97b34afda666cfc06f7728b07
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60b1d462c788d1af7e4e998b93fb5257d2048a2bb02adb2f692ffb128e4065e1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C721F2B59002499FDB10CF9AD984ADEFFF4EB48324F24801AE918A3310C378A951CFA0
                                                                                                                                                                                                                                                  Function 026DD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 83 26dd300-26dd394 DuplicateHandle 84 26dd39d-26dd3ba 83->84 85 26dd396-26dd39c 83->85 85->84
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 026DD387
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: 6a24b14ea91ec4194f6fdfa55941af2a74efe26341b4fc9d95840bc03c62df6c
                                                                                                                                                                                                                                                  • Instruction ID: 373405d10ece053e27f68d123d0655c4e1cffd43315469ad2383582ef8b25500
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a24b14ea91ec4194f6fdfa55941af2a74efe26341b4fc9d95840bc03c62df6c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1421E3B5D002499FDB10CF9AD984ADEFBF4EB48720F14841AE918A3310D774A954CFA0
                                                                                                                                                                                                                                                  Function 026DB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 94 26db020-26db060 95 26db068-26db093 GetModuleHandleW 94->95 96 26db062-26db065 94->96 97 26db09c-26db0b0 95->97 98 26db095-26db09b 95->98 96->95 98->97
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 026DB086
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: c0093d4580bfed443f2770aa81edbed6969f0d36e194e5508bbe183428c80b8d
                                                                                                                                                                                                                                                  • Instruction ID: e1deb64e538928e048f0b5f473b8580288112eaf00bcd9efe0bd4b5e4116d631
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c0093d4580bfed443f2770aa81edbed6969f0d36e194e5508bbe183428c80b8d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FF1110B6C007498FCB20CF9AD544BDEFBF4AF88628F14842AD428B7210C779A545CFA1
                                                                                                                                                                                                                                                  Function 026DB01F Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 88 26db01f-26db060 89 26db068-26db093 GetModuleHandleW 88->89 90 26db062-26db065 88->90 91 26db09c-26db0b0 89->91 92 26db095-26db09b 89->92 90->89 92->91
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 026DB086
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: c3191024b953d1d8d7b53a750f69b6d0eadf51d7db033344cfb0a783eedde064
                                                                                                                                                                                                                                                  • Instruction ID: 605241260973369cace1f4387566136eb7c6bc7af300c4549fa2dac7d7481230
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3191024b953d1d8d7b53a750f69b6d0eadf51d7db033344cfb0a783eedde064
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A71102B6C007498FCB10CF9AD544ADEFBF4AB88624F14841AD428B7210C775A545CFA1
                                                                                                                                                                                                                                                  Function 007FD3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255534510.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7fd000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 29b4ee276163dbdb3fca884b87e9d5d1f2b5052fb3eb4aee2062a543dd2b6f19
                                                                                                                                                                                                                                                  • Instruction ID: aa7255009b5fab71b655895a27e362d98106b12d3801ed27d4e9baab0b028d52
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29b4ee276163dbdb3fca884b87e9d5d1f2b5052fb3eb4aee2062a543dd2b6f19
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A721F7B5504288DFDB14DF14D9C0B36BB66FB94314F24C569DE090B356C33AEC56CAA1
                                                                                                                                                                                                                                                  Function 007FD4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255534510.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7fd000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ea284db3823d98c5845ce5caa83fe29dec4d7d044361fda5fbc022c4c25a8680
                                                                                                                                                                                                                                                  • Instruction ID: 51e859a7237eefc0e5d99ad0b0bd60742af2218130c2b9295f44be6bc703c730
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ea284db3823d98c5845ce5caa83fe29dec4d7d044361fda5fbc022c4c25a8680
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C2128B2504248DFDB25DF14D9C0B36BF62FB84318F24C569DA090B356C33ADC66DAA1
                                                                                                                                                                                                                                                  Function 00C1D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255644870.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_c1d000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: bf6043d7d4f529d1d3a63e59de817f3e629236e81259da8bcd3b9dc1ddea2638
                                                                                                                                                                                                                                                  • Instruction ID: 8b8370ae1d0b73a9cde23168a577b94304b80b1761a9ddf5076c654ddd10471d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf6043d7d4f529d1d3a63e59de817f3e629236e81259da8bcd3b9dc1ddea2638
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F213175604340EFCB14DF24D9C0B66BBA1FB89314F20C5ADE90A4B252C77AD887DA62
                                                                                                                                                                                                                                                  Function 00C1D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255644870.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_c1d000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 33e2e9f75777a927cc30d7d21f7d166ba3af10bbab0616b524da89b59c926109
                                                                                                                                                                                                                                                  • Instruction ID: 2652206d6a523dc95d4a9561c490f32e6d19e56beed0efa50f279f264a8a8cee
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 33e2e9f75777a927cc30d7d21f7d166ba3af10bbab0616b524da89b59c926109
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7A218E755093C08FCB02CF24D990755BF71EB46314F28C5EAD8498B6A7C33A984ACB62
                                                                                                                                                                                                                                                  Function 007FD3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255534510.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7fd000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                                                                                                                                                                                                                                  • Instruction ID: b39a553d4301c0a79469884558c6620f08cf7c8279d55fab26e98ac4c9721707
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1311AFB6504284DFCB15CF14D9C4B26BF62FB94324F24C6A9DD094B616C33AE856CBA2
                                                                                                                                                                                                                                                  Function 007FD4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2255534510.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_7fd000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                                                                                                                                                                                                                                  • Instruction ID: 7879b93834e94feb80b81c1612887639602ee0d0242183f3240449117a525b65
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a5504dfd99aeaae02a5904faf24bf7c180eb56da23d91347c8bcbb22ee6d9b3
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4911D376504284CFCB15CF10D9C4B26BF72FB94318F24C6A9D9494B756C33AD86ACBA2

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 054DA448 Relevance: .5, Instructions: 528COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 6bcd9b642e199c264347a9206ee99d84132bbba5088a15a417bf81e91908289f
                                                                                                                                                                                                                                                  • Instruction ID: aaeb3c45f8dedbece4d4e23ffd06366f1c729dd1981aa2cef1d25a9a9730782b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6bcd9b642e199c264347a9206ee99d84132bbba5088a15a417bf81e91908289f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F5427E74A01228CFDB64DF65C994BEDBBB2BF89300F1085EAD509A7265DB349E81CF50
                                                                                                                                                                                                                                                  Function 054D03A0 Relevance: .4, Instructions: 378COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 328b2429a88b2ecb0cc279124e3cf1041ccb6feeefff6f9886f81bbf46f2e205
                                                                                                                                                                                                                                                  • Instruction ID: 5d05c66f903b9e5ffe92420a48c9981d3ba18f06495f6d8b9de67434f2461ec8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 328b2429a88b2ecb0cc279124e3cf1041ccb6feeefff6f9886f81bbf46f2e205
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EE1FE75E41248DBDB04DBF5C895ABEBB72EF88300F904419E909B7395CE74AD42DB60
                                                                                                                                                                                                                                                  Function 054D03B0 Relevance: .4, Instructions: 374COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d801a74b9d76f96d38d06909a83e5d346802c067eef6b190b77da6b43d9c67e9
                                                                                                                                                                                                                                                  • Instruction ID: 32fbaf1e55a54b4806b04f89263edaa43e42df12660a4bea828f29b8cf394f49
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d801a74b9d76f96d38d06909a83e5d346802c067eef6b190b77da6b43d9c67e9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DBE1FE75E41248DBDB04DBF5C895ABEBB72EF88300F904419E909B7395CEB4AD42DB60
                                                                                                                                                                                                                                                  Function 026DDC74 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2257740574.00000000026D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_26d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 249a5c29640fcc36ca3d0d0570dfc7dd2175650cfc454fe1d7fdcfdff9fbb345
                                                                                                                                                                                                                                                  • Instruction ID: b9df90ef2ab7186e1878341d7d9f67c042128a266f56a46913ee1ff011654afe
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 249a5c29640fcc36ca3d0d0570dfc7dd2175650cfc454fe1d7fdcfdff9fbb345
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0A17D32E00219CFCF05DFB5C88059EB7B2FF85304B15856AE806AB265DB75E956CF80
                                                                                                                                                                                                                                                  Function 054D7CB8 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 93143e2d0a084d69ed7581669db177474e650070e20a6568503c8a82057d3ded
                                                                                                                                                                                                                                                  • Instruction ID: 71051ce95c4792839c4f52eba124cf2b656bfca9ccfabbc868e2710f015a8646
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93143e2d0a084d69ed7581669db177474e650070e20a6568503c8a82057d3ded
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CCC19074E01218CFDB54DFA9D894A9DBBB2FF89300F1085AAD509AB354DB359D82CF50
                                                                                                                                                                                                                                                  Function 054D7CC8 Relevance: .3, Instructions: 257COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e2bd5155a03a08ecdb4938c311d4663b2d3ddf35eb2d7d2a8b7793c726620ebb
                                                                                                                                                                                                                                                  • Instruction ID: 122b76b5559cca860689d17d3573cccd8b72c558d7db02b7d5dfac274177d2c7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e2bd5155a03a08ecdb4938c311d4663b2d3ddf35eb2d7d2a8b7793c726620ebb
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAC1A074E01218CFDB54DFA9C894A9DBBB2FF89300F2085AAD509AB354DB359D82CF50
                                                                                                                                                                                                                                                  Function 054D5D38 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9723192bae92944bb784457a5451317a213132c661e0af503f6611a7de9ea307
                                                                                                                                                                                                                                                  • Instruction ID: edf1070ed5bb4727c59a50e4e771e47a81895f6341ef0d3cd461260f25082ea9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9723192bae92944bb784457a5451317a213132c661e0af503f6611a7de9ea307
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84913A70E002099FDF24DFA9C9957EEFBF2BF88714F14812AE405AB254DB749845CBA1
                                                                                                                                                                                                                                                  Function 054D2190 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 15c6ecd69dfa349e1580d0c15c87c25742883e34d6293729cf7e7f52528a1ae1
                                                                                                                                                                                                                                                  • Instruction ID: c3781bb9b57fbd7bd816ed31fa421a8e30de7c6acaa3fd8709c43e3c5e06f9b9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 15c6ecd69dfa349e1580d0c15c87c25742883e34d6293729cf7e7f52528a1ae1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8661E274E00208CFDB04DFA9C494ADDBBB2BF89300F24912AD509BB361DB74A946CF50
                                                                                                                                                                                                                                                  Function 054DB8B7 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: bd9f183f3d76f1b48f9026003fc03524784eb6e5ece034f2f693ccbeadb06b4c
                                                                                                                                                                                                                                                  • Instruction ID: eade664a4ee97ef0f378eb386490fde9f7a1d61ebff47f1a1786357a826bc05f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd9f183f3d76f1b48f9026003fc03524784eb6e5ece034f2f693ccbeadb06b4c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2761E574E052588BDB18DF65C890BDEBBB2FF88300F1481AAD109AB255DB349A82CF51
                                                                                                                                                                                                                                                  Function 054D86F1 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c3204a68abbe2e0f264a6a67e99828cd87f852c1cf1049bcea38a16db4fb3cb5
                                                                                                                                                                                                                                                  • Instruction ID: d0e20606932d82406f6b0d9591e8dffddf3bac6741b9548b3df097fcce1861fa
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3204a68abbe2e0f264a6a67e99828cd87f852c1cf1049bcea38a16db4fb3cb5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED3194B5E046588BDB18CFAB99406DEFBF7AFC9300F14D12AD819BB214DB3459468B50
                                                                                                                                                                                                                                                  Function 054DE56F Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b7c29cc74542705c6a072ca994275898991b706a1f29bd6393cf88fba1096934
                                                                                                                                                                                                                                                  • Instruction ID: 87258e470761881a2d6938a49c56e2a639cc123d706add248364ded28b78b033
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b7c29cc74542705c6a072ca994275898991b706a1f29bd6393cf88fba1096934
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 733104B5D016488BEB28DFAAD9147DEFBF6AF89300F14D02AD419BB265DB701846CF50
                                                                                                                                                                                                                                                  Function 054D2460 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d464e48b27b006380343c2e17ab11e3c187eae8da36fa38eced76a2c081a2e0e
                                                                                                                                                                                                                                                  • Instruction ID: 2faec46abc6a8ba78c265a7f88f6d5073a8d97617025f9fb52f64943bc2c6b7d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d464e48b27b006380343c2e17ab11e3c187eae8da36fa38eced76a2c081a2e0e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D2017839A08308DFCB00CF94D858AECFBB5FB4A300F11519AE909AB321C7759D46CB90
                                                                                                                                                                                                                                                  Function 054DDFA1 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000003.00000002.2271783316.00000000054D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_54d0000_RegAsm.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0c87f0023261cb79bafe0d39498ef709427739d6bf1988a714968ea1ee043706
                                                                                                                                                                                                                                                  • Instruction ID: d60ff37b801b1b4f3c598cdd43a209d068a564db5d45de1ccabbf58f76261ff4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0c87f0023261cb79bafe0d39498ef709427739d6bf1988a714968ea1ee043706
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3E09A30C8A10ECADB14CFA2C424BFEF675AB06208F20544BD80277248CB7086468F71