Avred

File 945ACE2428D95A13.Rubeus.exe

Name:	945ACE2428D95A13.Rubeus.exe
Size:	457,216 bytes
Type:	EXE PE.NET
MD5:	66368745046c31217b2a1e7fc7c11f24

Scanner Name:	defender
Appraisal:	Fragile (AND) based
Scan Debug:	Duration: 309s / Chunks: 130 / Matches: 19
Scan date:	2023-07-07 04:53:07

Matches

#	Offset	Size	Section	Detail	SectionType	Conclusion
0	528	4	.text DotNet HeaderIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR		DATA	Dominant. Modify this to make file undetected
1	166187	7	.text methods	::Compare	CODE	Dominant. Modify this to make file undetected
2	166217	4	.text Metadata Header		DATA	Dominant. Modify this to make file undetected

Match 0: 528 (size: 4)

Dominant. Modify this to make file undetected

.text DotNet HeaderIMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

00000210   2C A7 02 00                                        ,...

Match 1: 166187 (size: 7)

Dominant. Modify this to make file undetected

.text methods ::Compare

0002892B   2A 42 53 4A 42 01 00                               *BSJB..

0x288f0: Function: ::Compare

0x2891c: 09 ldloc.3

0x2891d: 91 ldelem.u1

0x2891e: 59 sub

0x2891f: 2a ret

0x28920: 09 ldloc.3

0x28921: 17 ldc.i4.1

0x28922: 58 add

0x28923: 0d stloc.3

0x28924: 09 ldloc.3

0x28925: 08 ldloc.2

0x28926: 32 e8 blt.s 0x28910

0x28928: 06 ldloc.0

0x28929: 07 ldloc.1

0x2892a: 59 sub

0x2892b: 2a ret

Match 2: 166217 (size: 4)

Dominant. Modify this to make file undetected

.text Metadata Header

00028949   00 05 00 6C                                        ...l

Test #	MatchOrder	ModifyPosition	Match#0 DotNet Header 4b	Match#1 methods 7b	Match#2 Metadata Header 4b	Match#3 #Strings Stream Header 11b	Match#4 #Strings 21b	Match#5 #Strings 28b	Match#6 #US 28b	Match#7 #US 21b	Match#8 #US 97b
0	ISOLATED	MIDDLE8
1	ISOLATED	THIRDS4
2	ISOLATED	FULL
3	ISOLATED	FULLB
4	INCREMENTAL	MIDDLE8					4	5	6	7	8
5	INCREMENTAL	FULL	0	1	2	3	4	5	6	7	8
6	DECREMENTAL	FULL	8	7	6	5	4	3	2	1	0
7	ALL	MIDDLE8	0	0	0	0	0
8	ALL	THIRDS4	0	0	0	0	0
9	ALL	FULL	0	0	0	0	0	0	0	0	0
Result			d	c	d

Explanation

Colors

Green: Not detected
Red: Detected by AV

Match Order

Isolated: Test each match individually, by themselves. At most one match is modified per scan
Incremental: Modify each match after another, additive. At the end, all matches are modified
Decremental: Modify each match after another, additive, downwards (last first)

Position

ModifyPosition FULL: Overwrite complete match: MMMMMMMMMMMM
ModifyPosition MIDDLE8: Overwrite 8 bytes in the middle of the match (partial): aaaaMMMMMMMMaaaa
ModifyPosition THIRD8: Overwrite 8 bytes in the first and second third of the match (partial): aaaaMMMMMMMMaaaaMMMMMMMMaaaa

[INFO    ][2023-07-07 04:53:03,354] main() :: Using file: app/upload/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-07-07 04:53:03,354] handleFile() :: Handle file: app/upload/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-07-07 04:53:03,355] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-07-07 04:53:03,650] getDotNetSections() :: Offset: 7680
[INFO    ][2023-07-07 04:53:03,652] load() :: Loading HashCache
[INFO    ][2023-07-07 04:53:03,657] load() ::   7563 hashes loaded
[INFO    ][2023-07-07 04:53:07,772] handleFile() :: QuickCheck: 945ACE2428D95A13.Rubeus.exe is detected by defender and not hash based
[INFO    ][2023-07-07 04:53:07,772] handleFile() :: Scanning for matches...
[INFO    ][2023-07-07 04:53:07,772] scanForMatchesInPe() :: Section Detection: Zero section (leave all others intact)
[INFO    ][2023-07-07 04:53:09,098] findDetectedSections() :: Hide: .rsrc -> Detected: True
[INFO    ][2023-07-07 04:53:10,476] findDetectedSections() :: Hide: .reloc -> Detected: True
[INFO    ][2023-07-07 04:53:11,347] findDetectedSections() :: Hide: methods -> Detected: True
[INFO    ][2023-07-07 04:53:12,255] findDetectedSections() :: Hide: #~ -> Detected: True
[INFO    ][2023-07-07 04:53:13,502] findDetectedSections() :: Hide: #Strings -> Detected: True
[INFO    ][2023-07-07 04:53:15,484] findDetectedSections() :: Hide: #US -> Detected: True
[INFO    ][2023-07-07 04:53:16,813] findDetectedSections() :: Hide: #GUID -> Detected: True
[INFO    ][2023-07-07 04:53:18,141] findDetectedSections() :: Hide: #Blob -> Detected: True
[INFO    ][2023-07-07 04:53:18,141] scanForMatchesInPe() :: 0 section(s) trigger the antivirus independantly
[INFO    ][2023-07-07 04:53:18,141] scanForMatchesInPe() :: Section analysis failed. Fall back to non-section-aware reducer (flat-scan)
[INFO    ][2023-07-07 04:53:18,141] _printStatus() :: Reducing: 1 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:20,586] _printStatus() :: Reducing: 2 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:24,215] _printStatus() :: Reducing: 4 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:26,579] _printStatus() :: Reducing: 5 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:29,307] _printStatus() :: Reducing: 6 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:31,750] _printStatus() :: Reducing: 7 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:34,478] _printStatus() :: Reducing: 8 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:37,257] _printStatus() :: Reducing: 9 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:40,170] _printStatus() :: Reducing: 10 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:43,934] _printStatus() :: Reducing: 11 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:46,878] _printStatus() :: Reducing: 12 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:51,850] _printStatus() :: Reducing: 13 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:54,348] _printStatus() :: Reducing: 14 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:56,827] _printStatus() :: Reducing: 15 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:53:59,330] _printStatus() :: Reducing: 16 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:54:01,713] _printStatus() :: Reducing: 17 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:54:04,980] _printStatus() :: Reducing: 18 chunks done, found 0 matches (0 added)
[INFO    ][2023-07-07 04:54:04,980] _scanDataPart() :: Result: 528-532 (4 bytes)
00000210   2C A7 02 00                                        ,...
[INFO    ][2023-07-07 04:54:07,070] _printStatus() :: Reducing: 20 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:09,335] _printStatus() :: Reducing: 21 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:11,895] _printStatus() :: Reducing: 22 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:14,298] _printStatus() :: Reducing: 23 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:16,780] _printStatus() :: Reducing: 24 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:19,374] _printStatus() :: Reducing: 25 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:22,478] _printStatus() :: Reducing: 26 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:24,936] _printStatus() :: Reducing: 27 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:27,039] _printStatus() :: Reducing: 28 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:29,453] _printStatus() :: Reducing: 29 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:31,868] _printStatus() :: Reducing: 30 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:34,331] _printStatus() :: Reducing: 31 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:36,835] _printStatus() :: Reducing: 32 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:39,325] _printStatus() :: Reducing: 33 chunks done, found 1 matches (1 added)
[INFO    ][2023-07-07 04:54:41,448] _scanDataPart() :: Result: 166187-166194 (7 bytes)
0002892B   2A 42 53 4A 42 01 00                               *BSJB..
[INFO    ][2023-07-07 04:54:41,448] _printStatus() :: Reducing: 34 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:43,793] _printStatus() :: Reducing: 35 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:46,227] _printStatus() :: Reducing: 36 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:48,359] _printStatus() :: Reducing: 37 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:50,762] _printStatus() :: Reducing: 38 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:53,116] _printStatus() :: Reducing: 39 chunks done, found 2 matches (2 added)
[INFO    ][2023-07-07 04:54:54,187] _scanDataPart() :: Result: 166217-166221 (4 bytes)
00028949   00 05 00 6C                                        ...l
[INFO    ][2023-07-07 04:54:56,884] _printStatus() :: Reducing: 42 chunks done, found 3 matches (3 added)
[INFO    ][2023-07-07 04:54:59,398] _printStatus() :: Reducing: 43 chunks done, found 3 matches (3 added)
[INFO    ][2023-07-07 04:55:01,996] _printStatus() :: Reducing: 44 chunks done, found 3 matches (3 added)
[INFO    ][2023-07-07 04:55:01,997] _scanDataPart() :: Result: 166238-166242 (4 bytes)
0002895E   00 00 23 53                                        ..#S
[INFO    ][2023-07-07 04:55:04,428] _printStatus() :: Reducing: 46 chunks done, found 4 matches (4 added)
[INFO    ][2023-07-07 04:55:06,635] _scanDataPart() :: Result: 166242-166249 (7 bytes)
00028962   74 72 69 6E 67 73 00                               trings.
[INFO    ][2023-07-07 04:55:06,636] _printStatus() :: Reducing: 47 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:11,373] _printStatus() :: Reducing: 49 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:14,114] _printStatus() :: Reducing: 50 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:16,747] _printStatus() :: Reducing: 51 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:19,136] _printStatus() :: Reducing: 52 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:21,480] _printStatus() :: Reducing: 53 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:24,513] _printStatus() :: Reducing: 54 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:27,110] _printStatus() :: Reducing: 55 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:29,670] _printStatus() :: Reducing: 56 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:32,295] _printStatus() :: Reducing: 57 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:34,660] _printStatus() :: Reducing: 58 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:37,186] _printStatus() :: Reducing: 59 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:39,323] _printStatus() :: Reducing: 60 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:41,887] _printStatus() :: Reducing: 61 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:44,310] _printStatus() :: Reducing: 62 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:46,651] _printStatus() :: Reducing: 63 chunks done, found 4 matches (5 added)
[INFO    ][2023-07-07 04:55:46,651] _scanDataPart() :: Result: 286477-286481 (4 bytes)
00045F0D   00 44 65 62                                        .Deb
[INFO    ][2023-07-07 04:55:48,820] _printStatus() :: Reducing: 65 chunks done, found 5 matches (6 added)
[INFO    ][2023-07-07 04:55:50,870] _scanDataPart() :: Result: 286481-286495 (14 bytes)
00045F11   75 67 67 61 62 6C 65 41 74 74 72 69 62 75          uggableAttribu
[INFO    ][2023-07-07 04:55:50,870] _printStatus() :: Reducing: 66 chunks done, found 5 matches (7 added)
[INFO    ][2023-07-07 04:55:53,412] _printStatus() :: Reducing: 67 chunks done, found 5 matches (7 added)
[INFO    ][2023-07-07 04:55:55,815] _printStatus() :: Reducing: 68 chunks done, found 5 matches (7 added)
[INFO    ][2023-07-07 04:55:55,815] _scanDataPart() :: Result: 286495-286498 (3 bytes)
00045F1F   74 65 00                                           te.
[INFO    ][2023-07-07 04:55:58,241] _printStatus() :: Reducing: 70 chunks done, found 5 matches (8 added)
[INFO    ][2023-07-07 04:56:00,398] _printStatus() :: Reducing: 71 chunks done, found 5 matches (8 added)
[INFO    ][2023-07-07 04:56:02,943] _printStatus() :: Reducing: 72 chunks done, found 5 matches (8 added)
[INFO    ][2023-07-07 04:56:05,335] _printStatus() :: Reducing: 73 chunks done, found 5 matches (8 added)
[INFO    ][2023-07-07 04:56:07,471] _scanDataPart() :: Result: 286662-286676 (14 bytes)
00045FC6   74 65 00 44 65 62 75 67 67 65 72 48 69 64          te.DebuggerHid
[INFO    ][2023-07-07 04:56:07,471] _printStatus() :: Reducing: 74 chunks done, found 6 matches (9 added)
[INFO    ][2023-07-07 04:56:09,862] _printStatus() :: Reducing: 75 chunks done, found 6 matches (9 added)
[INFO    ][2023-07-07 04:56:12,234] _printStatus() :: Reducing: 76 chunks done, found 6 matches (9 added)
[INFO    ][2023-07-07 04:56:14,403] _scanDataPart() :: Result: 286676-286690 (14 bytes)
00045FD4   64 65 6E 41 74 74 72 69 62 75 74 65 00 45          denAttribute.E
[INFO    ][2023-07-07 04:56:14,404] _printStatus() :: Reducing: 77 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:16,882] _printStatus() :: Reducing: 78 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:19,437] _printStatus() :: Reducing: 79 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:21,812] _printStatus() :: Reducing: 80 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:24,440] _printStatus() :: Reducing: 81 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:26,907] _printStatus() :: Reducing: 82 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:29,288] _printStatus() :: Reducing: 83 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:31,772] _printStatus() :: Reducing: 84 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:33,947] _printStatus() :: Reducing: 85 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:36,312] _printStatus() :: Reducing: 86 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:38,716] _printStatus() :: Reducing: 87 chunks done, found 6 matches (10 added)
[INFO    ][2023-07-07 04:56:40,874] _scanDataPart() :: Result: 313645-313659 (14 bytes)
0004C92D   00 01 15 6B 00 72 00 62 00 74 00 67 00 74          ...k.r.b.t.g.t
[INFO    ][2023-07-07 04:56:40,874] _printStatus() :: Reducing: 88 chunks done, found 7 matches (11 added)
[INFO    ][2023-07-07 04:56:43,239] _printStatus() :: Reducing: 89 chunks done, found 7 matches (11 added)
[INFO    ][2023-07-07 04:56:45,814] _printStatus() :: Reducing: 90 chunks done, found 7 matches (11 added)
[INFO    ][2023-07-07 04:56:47,943] _scanDataPart() :: Result: 313659-313673 (14 bytes)
0004C93B   00 2F 00 7B 00 30 00 7D 00 00 37 5B 00 2A          ./.{.0.}..7[.*
[INFO    ][2023-07-07 04:56:47,945] _printStatus() :: Reducing: 91 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:56:50,547] _printStatus() :: Reducing: 92 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:56:52,923] _printStatus() :: Reducing: 93 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:56:55,233] _printStatus() :: Reducing: 94 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:56:57,715] _printStatus() :: Reducing: 95 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:00,060] _printStatus() :: Reducing: 96 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:02,434] _printStatus() :: Reducing: 97 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:04,916] _printStatus() :: Reducing: 98 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:07,264] _printStatus() :: Reducing: 99 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:09,421] _printStatus() :: Reducing: 100 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:11,778] _printStatus() :: Reducing: 101 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:13,955] _printStatus() :: Reducing: 102 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:16,422] _printStatus() :: Reducing: 103 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:18,798] _printStatus() :: Reducing: 104 chunks done, found 7 matches (12 added)
[INFO    ][2023-07-07 04:57:18,798] _scanDataPart() :: Result: 322338-322342 (4 bytes)
0004EB22   5E 00 6B 00                                        ^.k.
[INFO    ][2023-07-07 04:57:20,924] _scanDataPart() :: Result: 322342-322356 (14 bytes)
0004EB26   72 00 62 00 74 00 67 00 74 00 2F 00 2E 00          r.b.t.g.t./...
[INFO    ][2023-07-07 04:57:20,924] _printStatus() :: Reducing: 106 chunks done, found 8 matches (14 added)
[INFO    ][2023-07-07 04:57:23,376] _printStatus() :: Reducing: 107 chunks done, found 8 matches (14 added)
[INFO    ][2023-07-07 04:57:25,935] _printStatus() :: Reducing: 108 chunks done, found 8 matches (14 added)
[INFO    ][2023-07-07 04:57:28,348] _printStatus() :: Reducing: 109 chunks done, found 8 matches (14 added)
[INFO    ][2023-07-07 04:57:30,802] _printStatus() :: Reducing: 110 chunks done, found 8 matches (14 added)
[INFO    ][2023-07-07 04:57:30,803] _scanDataPart() :: Result: 322356-322359 (3 bytes)
0004EB34   2A 00 00                                           *..
[INFO    ][2023-07-07 04:57:33,206] _printStatus() :: Reducing: 112 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:35,511] _printStatus() :: Reducing: 113 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:37,959] _printStatus() :: Reducing: 114 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:40,055] _printStatus() :: Reducing: 115 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:42,365] _printStatus() :: Reducing: 116 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:44,628] _printStatus() :: Reducing: 117 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:47,081] _printStatus() :: Reducing: 118 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:49,275] _printStatus() :: Reducing: 119 chunks done, found 8 matches (15 added)
[INFO    ][2023-07-07 04:57:51,680] _printStatus() :: Reducing: 120 chunks done, found 8 matches (15 added)
[WARNING ][2023-07-07 04:57:51,680] _scanDataPart() :: Doubling minMatchSize to 16
[INFO    ][2023-07-07 04:57:53,757] _scanDataPart() :: Result: 342120-342148 (28 bytes)
00053868   00 00 80 93 28 00 21 00 73 00 61 00 6D 00 41 00    ....(.!.s.a.m.A.
00053878   63 00 63 00 6F 00 75 00 6E 00 74 00                c.c.o.u.n.t.
[INFO    ][2023-07-07 04:57:53,758] _printStatus() :: Reducing: 121 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:57:56,063] _printStatus() :: Reducing: 122 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:57:58,439] _printStatus() :: Reducing: 123 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:58:00,803] _printStatus() :: Reducing: 124 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:58:02,934] _printStatus() :: Reducing: 125 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:58:05,033] _printStatus() :: Reducing: 126 chunks done, found 9 matches (16 added)
[INFO    ][2023-07-07 04:58:07,182] _scanDataPart() :: Result: 342148-342175 (27 bytes)
00053884   4E 00 61 00 6D 00 65 00 3D 00 6B 00 72 00 62 00    N.a.m.e.=.k.r.b.
00053894   74 00 67 00 74 00 29 00 28 00 21                   t.g.t.).(.!
[INFO    ][2023-07-07 04:58:07,182] _printStatus() :: Reducing: 127 chunks done, found 9 matches (17 added)
[INFO    ][2023-07-07 04:58:09,402] _scanDataPart() :: Result: 342175-342203 (28 bytes)
0005389F   00 28 00 55 00 73 00 65 00 72 00 41 00 63 00 63    .(.U.s.e.r.A.c.c
000538AF   00 6F 00 75 00 6E 00 74 00 43 00 6F                .o.u.n.t.C.o
[INFO    ][2023-07-07 04:58:09,402] _printStatus() :: Reducing: 128 chunks done, found 9 matches (18 added)
[INFO    ][2023-07-07 04:58:12,007] _printStatus() :: Reducing: 129 chunks done, found 9 matches (18 added)
[INFO    ][2023-07-07 04:58:14,428] _printStatus() :: Reducing: 130 chunks done, found 9 matches (18 added)
[INFO    ][2023-07-07 04:58:16,603] _scanDataPart() :: Result: 342203-342217 (14 bytes)
000538BB   00 6E 00 74 00 72 00 6F 00 6C 00 3A 00 31          .n.t.r.o.l.:.1
[INFO    ][2023-07-07 04:58:16,604] scan() :: Scan Result: Time:298 Chunks:130 MatchesAdded:19 MatchesFinal:9
[INFO    ][2023-07-07 04:58:16,604] handleFile() :: Result: 9 matches
[INFO    ][2023-07-07 04:58:16,605] saveToFile() :: Saving results to: app/upload/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-07-07 04:58:17,619] save() :: Saving HashCache (7820)
[INFO    ][2023-07-07 04:58:17,636] verifyFile() :: Perform verification of matches
[INFO    ][2023-07-07 04:58:17,636] runVerifications() :: Verify 9 matches
[INFO    ][2023-07-07 04:58:25,456] runVerifications() :: Verification run: 0 MIDDLE8 ISOLATED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:58:32,321] runVerifications() :: Verification run: 1 THIRDS4 ISOLATED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:58:44,871] runVerifications() :: Verification run: 2 FULL ISOLATED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:58:57,141] runVerifications() :: Verification run: 3 FULLB ISOLATED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:59:02,468] runVerifications() :: Verification run: 4 MIDDLE8 INCREMENTAL
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  Idx: 4  result: ScanResult.DETECTED
  Idx: 5  result: ScanResult.DETECTED
  Idx: 6  result: ScanResult.DETECTED
  Idx: 7  result: ScanResult.DETECTED
  Idx: 8  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:59:10,916] runVerifications() :: Verification run: 5 FULL INCREMENTAL
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 1  result: ScanResult.NOT_DETECTED
  Idx: 2  result: ScanResult.NOT_DETECTED
  Idx: 3  result: ScanResult.NOT_DETECTED
  Idx: 4  result: ScanResult.NOT_DETECTED
  Idx: 5  result: ScanResult.NOT_DETECTED
  Idx: 6  result: ScanResult.NOT_DETECTED
  Idx: 7  result: ScanResult.NOT_DETECTED
  Idx: 8  result: ScanResult.NOT_DETECTED

[INFO    ][2023-07-07 04:59:19,728] runVerifications() :: Verification run: 6 FULL DECREMENTAL
  Idx: 8  result: ScanResult.NOT_DETECTED
  Idx: 7  result: ScanResult.NOT_DETECTED
  Idx: 6  result: ScanResult.NOT_DETECTED
  Idx: 5  result: ScanResult.NOT_DETECTED
  Idx: 4  result: ScanResult.DETECTED
  Idx: 3  result: ScanResult.DETECTED
  Idx: 2  result: ScanResult.DETECTED
  Idx: 1  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED

[INFO    ][2023-07-07 04:59:19,729] runVerifications() :: Verification run: 7 MIDDLE8 ALL
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED

[INFO    ][2023-07-07 04:59:21,127] runVerifications() :: Verification run: 8 THIRDS4 ALL
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED

[INFO    ][2023-07-07 04:59:21,128] runVerifications() :: Verification run: 9 FULL ALL
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED

[INFO    ][2023-07-07 04:59:21,128] saveToFile() :: Saving results to: app/upload/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-07-07 04:59:21,129] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-07-07 04:59:21,439] getDotNetSections() :: Offset: 7680
[INFO    ][2023-07-07 04:59:23,361] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-07-07 04:59:23,371] saveToFile() :: Saving results to: app/upload/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-07-07 04:59:23,372] outflankFile() :: Attempt to outflank the file
[INFO    ][2023-07-07 04:59:23,372] outflankDotnet() :: Outflank failed with attempted 0 patches
[INFO    ][2023-07-07 04:59:23,372] saveToFile() :: Saving results to: app/upload/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-07-07 04:59:23,372] save() :: Saving HashCache (7868)
[INFO    ][2023-07-08 08:54:51,994] main() :: Using file: app/upload/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-07-08 08:54:51,995] handleFile() :: Handle file: app/upload/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-07-08 08:54:51,995] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-07-08 08:54:52,291] getDotNetSections() :: Offset: 7680
[INFO    ][2023-07-08 08:54:52,292] load() :: Loading HashCache
[INFO    ][2023-07-08 08:54:52,372] load() ::   38427 hashes loaded
[INFO    ][2023-07-08 08:54:52,372] save() :: Saving HashCache (38427)
[INFO    ][2023-07-08 08:54:52,412] verifyFile() :: Perform verification of matches
[INFO    ][2023-07-08 08:54:52,412] runVerifications() :: Verify 9 matches
[INFO    ][2023-07-08 08:54:52,416] runVerifications() :: Verification run: 0 MIDDLE8 ISOLATED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,421] runVerifications() :: Verification run: 1 THIRDS4 ISOLATED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,428] runVerifications() :: Verification run: 2 FULL ISOLATED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,436] runVerifications() :: Verification run: 3 FULLB ISOLATED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.NOT_DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED
  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,439] runVerifications() :: Verification run: 4 MIDDLE8 INCREMENTAL
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  Idx: 4  result: ScanResult.DETECTED
  Idx: 5  result: ScanResult.DETECTED
  Idx: 6  result: ScanResult.DETECTED
  Idx: 7  result: ScanResult.DETECTED
  Idx: 8  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,445] runVerifications() :: Verification run: 5 FULL INCREMENTAL
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 1  result: ScanResult.NOT_DETECTED
  Idx: 2  result: ScanResult.NOT_DETECTED
  Idx: 3  result: ScanResult.NOT_DETECTED
  Idx: 4  result: ScanResult.NOT_DETECTED
  Idx: 5  result: ScanResult.NOT_DETECTED
  Idx: 6  result: ScanResult.NOT_DETECTED
  Idx: 7  result: ScanResult.NOT_DETECTED
  Idx: 8  result: ScanResult.NOT_DETECTED

[INFO    ][2023-07-08 08:54:52,450] runVerifications() :: Verification run: 6 FULL DECREMENTAL
  Idx: 8  result: ScanResult.NOT_DETECTED
  Idx: 7  result: ScanResult.NOT_DETECTED
  Idx: 6  result: ScanResult.NOT_DETECTED
  Idx: 5  result: ScanResult.NOT_DETECTED
  Idx: 4  result: ScanResult.DETECTED
  Idx: 3  result: ScanResult.DETECTED
  Idx: 2  result: ScanResult.DETECTED
  Idx: 1  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED

[INFO    ][2023-07-08 08:54:52,451] runVerifications() :: Verification run: 7 MIDDLE8 ALL
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED

[INFO    ][2023-07-08 08:54:52,452] runVerifications() :: Verification run: 8 THIRDS4 ALL
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  Idx: 0  result: ScanResult.DETECTED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED
  result: ScanResult.NOT_SCANNED

[INFO    ][2023-07-08 08:54:52,453] runVerifications() :: Verification run: 9 FULL ALL
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED
  Idx: 0  result: ScanResult.NOT_DETECTED

[INFO    ][2023-07-08 08:54:52,453] saveToFile() :: Saving results to: app/upload/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-07-08 08:54:52,454] save() :: Saving HashCache (38427)
[INFO    ][2023-09-01 05:26:53,290] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-01 05:26:53,290] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-01 05:26:53,300] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-01 05:26:53,601] getDotNetSections() :: Offset: 7680
[WARNING ][2023-09-01 05:26:53,601] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-01 05:26:53,603] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-01 05:26:53,603] load() :: Loading HashCache
[INFO    ][2023-09-01 05:26:53,734] load() ::   85943 hashes loaded
[INFO    ][2023-09-01 05:26:53,735] save() :: Saving HashCache (85943)
[INFO    ][2023-09-01 05:26:53,816] save() :: Saving HashCache (85943)
[INFO    ][2023-09-24 19:22:09,058] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-24 19:22:09,059] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-24 19:22:09,068] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-24 19:22:09,068] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-24 19:22:09,088] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-24 19:22:09,088] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-24 19:22:09,088] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,088] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,088] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-24 19:22:09,089] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-24 19:22:09,089] parseDotNetSections() :: FilePe: Parse DotNet Sections
[INFO    ][2023-09-24 19:22:09,361] parseDotNetRegions() :: FilePe: Parse DotNet Regions
[WARNING ][2023-09-24 19:22:09,658] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-24 19:22:09,659] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-24 19:22:09,660] load() :: Loading HashCache
[INFO    ][2023-09-24 19:22:09,819] load() ::   101712 hashes loaded
[INFO    ][2023-09-24 19:22:09,819] save() :: Saving HashCache (101712)
[INFO    ][2023-09-24 19:22:09,916] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-24 19:22:13,898] init() :: DotnetData entries: 12128
[INFO    ][2023-09-24 19:22:13,899] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-24 19:22:13,913] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-24 19:22:13,914] save() :: Saving HashCache (101712)
[INFO    ][2023-09-25 18:15:27,568] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-25 18:15:27,569] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-25 18:15:27,569] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-25 18:15:27,570] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-25 18:15:27,589] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-25 18:15:27,589] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-25 18:15:27,589] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-25 18:15:27,590] parseDotNetSections() :: FilePe: Parse DotNet Sections
[INFO    ][2023-09-25 18:15:27,828] parseDotNetRegions() :: FilePe: Parse DotNet Regions
[WARNING ][2023-09-25 18:15:28,126] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-25 18:15:28,127] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-25 18:15:28,128] load() :: Loading HashCache
[INFO    ][2023-09-25 18:15:28,287] load() ::   101712 hashes loaded
[INFO    ][2023-09-25 18:15:28,287] save() :: Saving HashCache (101712)
[INFO    ][2023-09-25 18:15:28,384] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-25 18:15:32,457] init() :: DotnetData entries: 12128
[INFO    ][2023-09-25 18:15:32,458] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-25 18:15:32,472] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-25 18:15:32,472] save() :: Saving HashCache (101712)
[INFO    ][2023-09-25 18:22:29,148] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-25 18:22:29,148] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-25 18:22:29,149] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-25 18:22:29,149] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-25 18:22:29,168] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-25 18:22:29,168] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-25 18:22:29,168] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-25 18:22:29,169] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-25 18:22:29,169] parseDotNetSections() :: FilePe: Parse DotNet Sections
[INFO    ][2023-09-25 18:22:29,409] parseDotNetRegions() :: FilePe: Parse DotNet Regions
[WARNING ][2023-09-25 18:22:29,707] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-25 18:22:29,709] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-25 18:22:29,709] load() :: Loading HashCache
[INFO    ][2023-09-25 18:22:29,868] load() ::   101712 hashes loaded
[INFO    ][2023-09-25 18:22:29,868] save() :: Saving HashCache (101712)
[INFO    ][2023-09-25 18:22:29,964] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-25 18:22:34,061] init() :: DotnetData entries: 12128
[INFO    ][2023-09-25 18:22:34,061] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-25 18:22:34,076] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-25 18:22:34,076] save() :: Saving HashCache (101712)
[INFO    ][2023-09-29 10:07:59,241] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-29 10:07:59,242] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-29 10:07:59,243] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-29 10:07:59,243] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-29 10:07:59,262] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-29 10:07:59,262] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-29 10:07:59,262] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-29 10:07:59,262] parseDotNetSections() :: FilePe: Parse DotNet Sections
[WARNING ][2023-09-29 10:07:59,502] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-29 10:07:59,503] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-29 10:07:59,504] load() :: Loading HashCache
[INFO    ][2023-09-29 10:07:59,670] load() ::   102070 hashes loaded
[INFO    ][2023-09-29 10:07:59,670] save() :: Saving HashCache (102070)
[INFO    ][2023-09-29 10:07:59,767] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-29 10:08:03,870] init() :: DotnetData entries: 12128
[INFO    ][2023-09-29 10:08:03,871] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-29 10:08:03,885] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-29 10:08:03,886] save() :: Saving HashCache (102070)
[INFO    ][2023-09-29 12:12:32,611] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-29 12:12:32,611] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-29 12:12:32,612] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-29 12:12:32,612] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-29 12:12:32,631] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-29 12:12:32,631] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-29 12:12:32,631] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-29 12:12:32,631] parseDotNetSections() :: FilePe: Parse DotNet Sections
[WARNING ][2023-09-29 12:12:32,871] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-29 12:12:32,873] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-29 12:12:32,873] load() :: Loading HashCache
[INFO    ][2023-09-29 12:12:33,042] load() ::   102070 hashes loaded
[INFO    ][2023-09-29 12:12:33,042] save() :: Saving HashCache (102070)
[INFO    ][2023-09-29 12:12:33,138] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-29 12:12:37,225] init() :: DotnetData entries: 12128
[INFO    ][2023-09-29 12:12:37,226] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-29 12:12:37,241] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-29 12:12:37,241] save() :: Saving HashCache (102070)
[INFO    ][2023-09-30 10:33:27,443] main() :: Using file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-30 10:33:27,443] handleFile() :: Handle file: app/examples/945ACE2428D95A13.Rubeus.exe
[INFO    ][2023-09-30 10:33:27,444] handleFile() :: Using parser for file type DOTNET
[INFO    ][2023-09-30 10:33:27,445] parseFile() :: FilePe: Parse File
[INFO    ][2023-09-30 10:33:27,463] parsePeSections() :: FilePe: Parse PE Sections
[INFO    ][2023-09-30 10:33:27,463] parsePeRegions() :: FilePe: Parse PE Regions
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 0 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 3 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 4 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 6 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 7 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 8 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 9 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 10 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 11 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 13 has address 0, skipping
[WARNING ][2023-09-30 10:33:27,464] parsePeRegions() :: Data Directory Section 15 has address 0, skipping
[INFO    ][2023-09-30 10:33:27,464] parseDotNetSections() :: FilePe: Parse DotNet Sections
[WARNING ][2023-09-30 10:33:27,705] handleFile() :: Using scanner as defined in outcome: defender
[INFO    ][2023-09-30 10:33:27,706] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-30 10:33:27,706] load() :: Loading HashCache
[INFO    ][2023-09-30 10:33:27,872] load() ::   102072 hashes loaded
[INFO    ][2023-09-30 10:33:27,873] save() :: Saving HashCache (102072)
[INFO    ][2023-09-30 10:33:27,970] augmentFile() :: Perform augmentation of matches
[INFO    ][2023-09-30 10:33:32,065] init() :: DotnetData entries: 12128
[INFO    ][2023-09-30 10:33:32,065] disassembleDotNet() :: Match physical 166187/0x2892B, method disassemblies found: 1
[INFO    ][2023-09-30 10:33:32,079] saveToFile() :: Saving results to: app/examples/945ACE2428D95A13.Rubeus.exe.outcome
[INFO    ][2023-09-30 10:33:32,080] save() :: Saving HashCache (102072)

File 945ACE2428D95A13.Rubeus.exe

Matches

Match 0: 528 (size: 4)

Info

Hexdump

Match 1: 166187 (size: 7)

Info

Hexdump

Disassembly

Match 2: 166217 (size: 4)

Info

Hexdump

Explanation

Colors

Match Order

Position