Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1440170
MD5:43b0461d2e1c77a8530d66d3e1ae0175
SHA1:96c50c5b2d652a572e18147e213e8bea38118f94
SHA256:d4536f1b7e5fbfdfe66be6a404147230dcff7728bc559b493d7bdd8e1adaea08
Tags:exe
Infos:

Detection

PrivateLoader, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected AntiVM3
Yara detected PrivateLoader
Yara detected Vidar
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 43B0461D2E1C77A8530D66D3E1AE0175)
    • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 2832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 7700 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAKJJDAAK" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 7756 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199681720597"], "Botnet": "681a223bec180ebfdc48547d3d5bd784", "Version": "9.6"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dllJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
          • 0x221f0:$s1: JohnDoe
          • 0x32f80:$s1: JohnDoe
          • 0x221e8:$s2: HAL9TH
          00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                  • 0x20ff0:$s1: JohnDoe
                  • 0x20fe8:$s2: HAL9TH
                  2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    2.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                    • 0x221f0:$s1: JohnDoe
                    • 0x32f80:$s1: JohnDoe
                    • 0x221e8:$s2: HAL9TH
                    0.2.file.exe.630000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: file.exeAvira: detected
                      Found malware configuration
                      Source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199681720597"], "Botnet": "681a223bec180ebfdc48547d3d5bd784", "Version": "9.6"}
                      Multi AV Scanner detection for domain / URL
                      Source: https://65.109.242.112Virustotal: Detection: 11%Perma Link
                      Source: https://65.109.242.112/Virustotal: Detection: 11%Perma Link
                      Source: https://65.109.242.112/sqlx.dllVirustotal: Detection: 10%Perma Link
                      Source: https://65.109.242.112/#Virustotal: Detection: 11%Perma Link
                      Machine Learning detection for sample
                      Source: file.exeJoe Sandbox ML: detected
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004062F8 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410D92 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406295 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408331 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00402484 memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C95A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9544C0 PK11_PubEncrypt,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C924420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C954440 PK11_PrivDecrypt,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C95A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C938670 PK11_ExportEncryptedPrivKeyInfo,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C980180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9543B0 PK11_PubEncryptPKCS1,PR_SetError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C977C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C937D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C979EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C953FF0 PK11_PrivDecryptPKCS1,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C953850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C959840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 23.195.238.96:443 -> 192.168.2.4:49730 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 65.109.242.112:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                      Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                      Source: Binary string: C:\na3eg3m\First.pdb source: file.exe
                      Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                      Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                      Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                      Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                      Source: Binary string: C:\na3eg3m\First.pdb% source: file.exe
                      Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                      Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                      Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr

                      Spreading

                      barindex
                      Yara detected PrivateLoader
                      Source: Yara matchFile source: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll, type: DROPPED
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CF963 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CFE47 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004163B3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004154FA _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B4B6 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409538 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C6CD _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415BC6 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409FC5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409953 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A9D4 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415F6A _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415947 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                      Networking

                      barindex
                      Yara detected PrivateLoader
                      Source: Yara matchFile source: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll, type: DROPPED
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199681720597
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199681720597 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 23.195.238.96 23.195.238.96
                      Source: Joe Sandbox ViewIP Address: 65.109.242.112 65.109.242.112
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHCGHJDBFIIDGDHIJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBGCFIEHCFIDGCAAFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFHIJDHDGDBFHIEHDGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBGCBGCAFIIECBFIDHIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 7109Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHCGHJDBFIIDGDHIJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBAFCBKFIDGCAKKKFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAAAFBKFIECAAKECGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAKJJDAAKFHJKJKFCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAFBFIEHIDBGDHCGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKECAFBFHJDGDHIEHJDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDAAEHIEHIECBKJDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 131529Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: unknownTCP traffic detected without corresponding DNS query: 65.109.242.112
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004041DB _EH_prolog,GetProcessHeap,RtlAllocateHeap,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /profiles/76561199681720597 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Cache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBKFHIJKJKECAAAECAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 OPR/101.0.0.0Host: 65.109.242.112Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://store.st
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: RegAsm.exe, 00000002.00000002.2175331068.000000001B68D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://65.109.242.112
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/#
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/freebl3.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/freebl3.dllo
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/mozglue.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/mozglue.dlle
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/msvcp140.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/nss3.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/nss3.dllMsi
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/p
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/softokn3.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/softokn3.dllM
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000530000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/sqlx.dll
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112/vcruntime140.dll
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000530000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112HJJ
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://65.109.242.112JDG
                      Source: EBAFBG.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                      Source: EBAFBG.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: EBAFBG.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: EBAFBG.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=L7WZiiqgcxXO&a
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ZQOnBoEs
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=qzBY
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=yXrh2LzpDwct&l=e
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                      Source: EBAFBG.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: EBAFBG.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: EBAFBG.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                      Source: GHCGDA.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://mozilla.org0/
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199681720597
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                      Source: file.exe, 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199681720597
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199681720597/badges
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199681720597/inventory/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199681720597GL
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199681720597eL
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                      Source: 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                      Source: AEHIEC.2.drString found in binary or memory: https://support.mozilla.org
                      Source: AEHIEC.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: AEHIEC.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000060E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                      Source: file.exe, 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/talmatin
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                      Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: EBAFBG.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                      Source: EBAFBG.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/ost.exe
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/WHpWtlueYcBpS.exe
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/v4.0.30319
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                      Source: AEHIEC.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%2
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownHTTPS traffic detected: 23.195.238.96:443 -> 192.168.2.4:49730 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 65.109.242.112:443 -> 192.168.2.4:49731 version: TLS 1.2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004112E3 _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                      Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                      Source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                      Source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA262C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B017F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006941FB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CC2C1
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006983D0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B05BD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D477F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006DC82F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B0AE6
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00680D28
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065CF15
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065CF15
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00694F90
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006B1022
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0065CF15
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006ADF2A
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AE344
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EE400
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067A408
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067A408
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AE770
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AEB8A
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AEFFB
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AF47F
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CB6F9
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697820
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AF8F0
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BB8A5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BB8A5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006AFD2E
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00697E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C1DA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BC89
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CE07
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C89ECC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FECD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C966C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97AC30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8AAC60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C936D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A4DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA2CDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA28D20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9CAD50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C96ED70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C926E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8AAEC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C940EC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C980E20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93EE70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E8FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8AEFB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97EFF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A0FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A6F10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E0F20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C90EF40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C962F70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C98C8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A68E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F0820
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C92A820
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C974840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9609B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9309A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C95A9A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9BC9E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D49F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F6900
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D8960
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C91EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C94EA00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C958A30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C91CA70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A8BAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C940BA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C98EBD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A6BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9CA480
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93A4D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8E64D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C92A430
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C904420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8B8460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8945B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C92E5F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C96A5E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E8550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F8540
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A4540
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C940570
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C902560
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8C46D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FE6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93E6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FC650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8CA7D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C920700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C898090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97C0B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8B00B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C968010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C96C000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8EE070
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A01E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C916130
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C984130
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C908140
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C96E2B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9722A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8BA2B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA262C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C96A210
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C978220
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C938250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C928260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D23A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FE3B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F43E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C912320
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A8340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C936370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E2370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A2370
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9BC360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93FC80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9DDCD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C961CE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8B1C30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8A3C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9C9C40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C893D80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E9D90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C971DC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C903D00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8C3EC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9ADE10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA25E60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9FBE70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8C1F90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9BDFC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA23FC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C94BFF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A3F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D5F20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C895F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9F7F20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93F8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C97F8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8AD8E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D38E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9FB8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FD810
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C973840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C971990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8B1980
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9399C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8D99D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9059F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9379F0
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 00632356 appears 55 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 006C3DA8 appears 37 times
                      Source: C:\Users\user\Desktop\file.exeCode function: String function: 0063326A appears 45 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024FF appears 312 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8FC5E0 appears 35 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CA209D0 appears 282 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0041820E appears 103 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8C3620 appears 74 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8C9B10 appears 85 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CA2D930 appears 51 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C9D9F30 appears 33 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6CA2DAE0 appears 63 times
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                      Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                      Source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                      Source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/25@1/2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C900300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111A4 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041070C CoCreateInstance,SysAllocString,SysFreeString,_wtoi64,SysFreeString,SysFreeString,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199681720597[1].htmJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                      Source: IIEBAF.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                      Source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                      Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAKJJDAAK" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAKJJDAAK" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dll
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: file.exeStatic file information: File size 1153024 > 1048576
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                      Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                      Source: Binary string: C:\na3eg3m\First.pdb source: file.exe
                      Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                      Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                      Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                      Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2178504934.000000006CA2F000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                      Source: Binary string: C:\na3eg3m\First.pdb% source: file.exe
                      Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                      Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2175231942.000000001B658000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                      Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004177AB GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: file.exeStatic PE information: section name: .00cfg
                      Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                      Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
                      Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                      Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
                      Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                      Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
                      Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                      Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
                      Source: sqlx[1].dll.2.drStatic PE information: section name: .00cfg
                      Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                      Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006322E8 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00419335 push ecx; ret
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\msvcp140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\mozglue.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\nss3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\msvcp140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\mozglue.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\BGDAAKJJDAAK\nss3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004177AB GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2832, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                      Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                      Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\BGDAAKJJDAAK\freebl3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\BGDAAKJJDAAK\softokn3.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\BGDAAKJJDAAK\nss3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\file.exeAPI coverage: 9.7 %
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 6.0 %
                      Source: C:\Windows\SysWOW64\timeout.exe TID: 7760Thread sleep count: 90 > 30
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FD2C GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FE3Fh
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CF963 FindFirstFileExW,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006CFE47 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004163B3 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004154FA _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B4B6 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409538 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C6CD _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415BC6 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409FC5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409953 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A9D4 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415F6A _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415947 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FEC8 GetSystemInfo,wsprintfA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RegAsm.exe, 00000002.00000002.2171551274.0000000003525000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2171023727.0000000000EFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006785BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004177AB GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D23FF mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D2452 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D24A5 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D2516 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D265E mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D2609 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D26F0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006D26B3 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BED17 mov ecx, dword ptr fs:[00000030h]
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401000 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0067807F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006785BC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00689365 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004194DF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E598 SetUnhandledExceptionFilter,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041AA07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                      Contains functionality to inject code into remote processes
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                      Searches for specific processes (likely to inject)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111A4 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42F000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 642000
                      Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AE1008
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAKJJDAAK" & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6CA24760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C901C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00677D17 cpuid
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,
                      Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006C43D7 GetSystemTimeAsFileTime,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC12 GetProcessHeap,HeapAlloc,GetUserNameA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCD9 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C928390 NSS_GetVersion,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected PrivateLoader
                      Source: Yara matchFile source: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll, type: DROPPED
                      Yara detected Vidar
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 2520, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2832, type: MEMORYSTR
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2170451919.0000000000439000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: window-state.json
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exeString found in binary or memory: \Exodus\
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exeString found in binary or memory: Exodus
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Source: RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                      Opens network shares
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                      Tries to harvest and steal Bitcoin Wallet information
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Crypto Currency Wallets
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                      Source: Yara matchFile source: 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2832, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected PrivateLoader
                      Source: Yara matchFile source: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll, type: DROPPED
                      Yara detected Vidar
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.file.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 2520, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2832, type: MEMORYSTR
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E0C40 sqlite3_bind_zeroblob,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E0D60 sqlite3_bind_parameter_name,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C908EA0 sqlite3_clear_bindings,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C906410 bind,WSAGetLastError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9060B0 listen,WSAGetLastError,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C90C030 sqlite3_bind_parameter_count,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C90C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C906070 PR_Listen,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8922D0 sqlite3_bind_blob,
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9063C0 PR_Bind,

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		2
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Native API                      		Boot or Logon Initialization Scripts511
                      Process Injection                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Account Discovery                      		Remote Desktop Protocol4
                      Data from Local System                      		21
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      DLL Side-Loading                      		Security Account Manager4
                      File and Directory Discovery                      		SMB/Windows Admin Shares1
                      Screen Capture                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Masquerading                      		NTDS56
                      System Information Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Virtualization/Sandbox Evasion                      		LSA Secrets1
                      Network Share Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                      Process Injection                      		Cached Domain Credentials141
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      System Owner/User Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440170 Sample: file.exe Startdate: 12/05/2024 Architecture: WINDOWS Score: 100 33 steamcommunity.com 2->33 39 Multi AV Scanner detection for domain / URL 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 9 file.exe 1 2->9         started        signatures3 process4 signatures5 47 Contains functionality to inject code into remote processes 9->47 49 Writes to foreign memory regions 9->49 51 Allocates memory in foreign processes 9->51 53 Injects a PE file into a foreign processes 9->53 12 RegAsm.exe 1 45 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 35 65.109.242.112, 443, 49731, 49732 ALABANZA-BALTUS United States 12->35 37 steamcommunity.com 23.195.238.96, 443, 49730 AKAMAI-ASUS United States 12->37 25 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->29 dropped 31 10 other files (none is malicious) 12->31 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 12->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->59 61 6 other signatures 12->61 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      file.exe100%AviraHEUR/AGEN.1318539
                      file.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\BGDAAKJJDAAK\freebl3.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\freebl3.dll0%VirustotalBrowse
                      C:\ProgramData\BGDAAKJJDAAK\mozglue.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\mozglue.dll0%VirustotalBrowse
                      C:\ProgramData\BGDAAKJJDAAK\msvcp140.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\msvcp140.dll0%VirustotalBrowse
                      C:\ProgramData\BGDAAKJJDAAK\nss3.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\nss3.dll0%VirustotalBrowse
                      C:\ProgramData\BGDAAKJJDAAK\softokn3.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\softokn3.dll0%VirustotalBrowse
                      C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll0%ReversingLabs
                      C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll1%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll0%VirustotalBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll0%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%URL Reputationsafe
                      https://mozilla.org0/0%URL Reputationsafe
                      https://mozilla.org0/0%URL Reputationsafe
                      https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta0%URL Reputationsafe
                      https://65.109.242.112/freebl3.dllo0%Avira URL Cloudsafe
                      http://store.st0%Avira URL Cloudsafe
                      https://65.109.242.112/nss3.dllMsi0%Avira URL Cloudsafe
                      https://65.109.242.112/softokn3.dllM0%Avira URL Cloudsafe
                      https://65.109.242.112/msvcp140.dll0%Avira URL Cloudsafe
                      https://65.109.242.112/freebl3.dll0%Avira URL Cloudsafe
                      https://65.109.242.1120%Avira URL Cloudsafe
                      https://65.109.242.112/vcruntime140.dll0%Avira URL Cloudsafe
                      https://65.109.242.112/sqlx.dll0%Avira URL Cloudsafe
                      https://65.109.242.112/0%Avira URL Cloudsafe
                      https://65.109.242.112/softokn3.dll0%Avira URL Cloudsafe
                      https://65.109.242.112HJJ0%Avira URL Cloudsafe
                      https://65.109.242.112/mozglue.dll0%Avira URL Cloudsafe
                      https://65.109.242.112/mozglue.dlle0%Avira URL Cloudsafe
                      https://65.109.242.11212%VirustotalBrowse
                      https://65.109.242.112/12%VirustotalBrowse
                      https://65.109.242.112/p0%Avira URL Cloudsafe
                      https://65.109.242.112/nss3.dll0%Avira URL Cloudsafe
                      https://65.109.242.112JDG0%Avira URL Cloudsafe
                      https://65.109.242.112/#0%Avira URL Cloudsafe
                      https://65.109.242.112/sqlx.dll11%VirustotalBrowse
                      https://65.109.242.112/#12%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      steamcommunity.com
                      		23.195.238.96
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://65.109.242.112/msvcp140.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/freebl3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/vcruntime140.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/sqlx.dllfalse
                        • 11%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/false
                        • 12%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/softokn3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/mozglue.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://65.109.242.112/nss3.dllfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://steamcommunity.com/profiles/76561199681720597false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabEBAFBG.2.drfalse
                            		high
                            https://duckduckgo.com/ac/?q=EBAFBG.2.drfalse
                              		high
                              https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                		high
                                https://65.109.242.112/nss3.dllMsiRegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drfalse
                                  		high
                                  https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                    		high
                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                      		high
                                      https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                        		high
                                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=ZQOnBoEsRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                          		high
                                          http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                            		high
                                            https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                              		high
                                              https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                		high
                                                https://65.109.242.112/softokn3.dllMRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                  		high
                                                  https://steamcommunity.com/profiles/76561199681720597GLRegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiGHCGDA.2.drfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                      		high
                                                      https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                        		high
                                                        https://steamcommunity.com/profiles/76561199681720597/badgesRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                          		high
                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                            		high
                                                            https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                              		high
                                                              https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                		high
                                                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                  		high
                                                                  https://t.me/talmatinfile.exe, 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94RegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drfalse
                                                                      		high
                                                                      http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000002.00000002.2178967195.000000006F90D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drfalse
                                                                        		high
                                                                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                          		high
                                                                          https://mozilla.org0/freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.valvesoftware.com/en/contact?contact-person=Translation%2RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                              		high
                                                                              http://store.stRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://steamcommunity.com/profiles/76561199681720597/inventory/RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                		high
                                                                                https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                  		high
                                                                                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=EBAFBG.2.drfalse
                                                                                    		high
                                                                                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaRegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=qzBYRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                      		high
                                                                                      https://65.109.242.112/freebl3.dlloRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000002.00000002.2170451919.000000000060E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.ecosia.org/newtab/EBAFBG.2.drfalse
                                                                                          		high
                                                                                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brAEHIEC.2.drfalse
                                                                                            		high
                                                                                            https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199681720597[1].htm.2.drfalse
                                                                                              		high
                                                                                              https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                		high
                                                                                                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                  		high
                                                                                                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                    		high
                                                                                                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119968172059776561199681720597[1].htm.2.drfalse
                                                                                                      		high
                                                                                                      https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                        		high
                                                                                                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                          		high
                                                                                                          https://65.109.242.11276561199681720597[1].htm.2.drfalse
                                                                                                          • 12%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                            		high
                                                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                              		high
                                                                                                              https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                		high
                                                                                                                https://store.steampowered.com/about/76561199681720597[1].htm.2.drfalse
                                                                                                                  		high
                                                                                                                  https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                    		high
                                                                                                                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFAEHIEC.2.drfalse
                                                                                                                      		high
                                                                                                                      https://steamcommunity.com/profiles/76561199681720597eLRegAsm.exe, 00000002.00000002.2171023727.0000000000F50000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                          		high
                                                                                                                          https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                            		high
                                                                                                                            https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                              		high
                                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=EBAFBG.2.drfalse
                                                                                                                                		high
                                                                                                                                http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                  		high
                                                                                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                    		high
                                                                                                                                    https://65.109.242.112HJJRegAsm.exe, 00000002.00000002.2170451919.0000000000530000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		low
                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                      		high
                                                                                                                                      https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                        		high
                                                                                                                                        https://65.109.242.112/mozglue.dlleRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                          		high
                                                                                                                                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                            		high
                                                                                                                                            https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                              		high
                                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=yXrh2LzpDwct&l=eRegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                		high
                                                                                                                                                https://65.109.242.112/pRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchEBAFBG.2.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2175331068.000000001B68D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2172015655.00000000156E7000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199681720597[1].htm.2.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgRegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoEBAFBG.2.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://65.109.242.112JDGRegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                                  		low
                                                                                                                                                                  https://store.steampowered.com/76561199681720597[1].htm.2.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exeRegAsm.exe, 00000002.00000002.2170451919.0000000000574000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://65.109.242.112/#RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • 12%, Virustotal, Browse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ac.ecosia.org/autocomplete?q=EBAFBG.2.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000002.00000002.2171023727.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp, GHCGDA.2.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=englishRegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2170451919.000000000043D000.00000040.00000400.00020000.00000000.sdmp, 76561199681720597[1].htm.2.drfalse
                                                                                                                                                                                      		high

                                                                                                                                                                                      World Map of Contacted IPs

                                                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                                                      Public IPs

                                                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                      23.195.238.96
                                                                                                                                                                                      		steamcommunity.comUnited States
                                                                                                                                                                                      		16625AKAMAI-ASUSfalse
                                                                                                                                                                                      65.109.242.112
                                                                                                                                                                                      		unknownUnited States
                                                                                                                                                                                      		11022ALABANZA-BALTUSfalse

                                                                                                                                                                                      General Information

                                                                                                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                      Analysis ID:1440170
                                                                                                                                                                                      Start date and time:2024-05-12 12:46:06 +02:00
                                                                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                                                                      Overall analysis duration:0h 6m 6s
                                                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                                                      Report type:light
                                                                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                      Number of analysed new started processes analysed:9
                                                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                                                      Technologies:
                                                                                                                                                                                      • HCA enabled
                                                                                                                                                                                      • EGA enabled
                                                                                                                                                                                      • AMSI enabled
                                                                                                                                                                                      Analysis Mode:default
                                                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                                                      Sample name:file.exe
                                                                                                                                                                                      Detection:MAL
                                                                                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@9/25@1/2
                                                                                                                                                                                      EGA Information:
                                                                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                                                                      HCA Information:
                                                                                                                                                                                      • Successful, ratio: 97%
                                                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                                                      Cookbook Comments:
                                                                                                                                                                                      • Found application associated with file extension: .exe
                                                                                                                                                                                      • Stop behavior analysis, all processes terminated

                                                                                                                                                                                      Warnings

                                                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                      • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                                      Simulations

                                                                                                                                                                                      Behavior and APIs

                                                                                                                                                                                      TimeTypeDescription
                                                                                                                                                                                      12:47:01API Interceptor1x Sleep call for process: RegAsm.exe modified

                                                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                                                      IPs

                                                                                                                                                                                      No context

                                                                                                                                                                                      Domains

                                                                                                                                                                                      No context

                                                                                                                                                                                      ASNs

                                                                                                                                                                                      No context

                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                      No context

                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                      No context

                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\AEHIEC

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):5242880
                                                                                                                                                                                      Entropy (8bit):0.037963276276857943
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                                                      MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                                                      SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                                                      SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                                                      SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                                                      Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\AEHIEC-shm

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\BGDAAK

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):49152
                                                                                                                                                                                      Entropy (8bit):0.8180424350137764
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                                                      MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                                                      SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                                                      SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                                                      SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\EBAFBG

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):106496
                                                                                                                                                                                      Entropy (8bit):1.1358696453229276
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                                                      MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                                                      SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                                                      SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                                                      SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                                                      Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\ECFHCG

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):28672
                                                                                                                                                                                      Entropy (8bit):2.5793180405395284
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                                                      MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                                                      SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                                                      SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                                                      SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\FCFIJE

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):98304
                                                                                                                                                                                      Entropy (8bit):0.08235737944063153
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                      MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                      SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                      SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                      SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\FCFIJE-shm

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:data
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):32768
                                                                                                                                                                                      Entropy (8bit):0.017262956703125623
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                                                                      MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                                                                      SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                                                                      SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                                                                      SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\FIDAFC

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):114688
                                                                                                                                                                                      Entropy (8bit):0.9746603542602881
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                                                      MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                                                      SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                                                      SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                                                      SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\GHCGDA

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):9571
                                                                                                                                                                                      Entropy (8bit):5.536643647658967
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                                                                                                                                                                                      MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                                                                                                                                                                                      SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                                                                                                                                                                                      SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                                                                                                                                                                                      SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\IDBKKK

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):126976
                                                                                                                                                                                      Entropy (8bit):0.47147045728725767
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                                                      MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                                                      SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                                                      SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                                                      SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\IIEBAF

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):40960
                                                                                                                                                                                      Entropy (8bit):0.8553638852307782
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                      MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                      SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                      SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                      SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\freebl3.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):685392
                                                                                                                                                                                      Entropy (8bit):6.872871740790978
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\mozglue.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):608080
                                                                                                                                                                                      Entropy (8bit):6.833616094889818
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\msvcp140.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):450024
                                                                                                                                                                                      Entropy (8bit):6.673992339875127
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\nss3.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2046288
                                                                                                                                                                                      Entropy (8bit):6.787733948558952
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\softokn3.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):257872
                                                                                                                                                                                      Entropy (8bit):6.727482641240852
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):80880
                                                                                                                                                                                      Entropy (8bit):6.920480786566406
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                      • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\ProgramData\BGDAAKJJDAAK\vcruntime140.dll, Author: Joe Security
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199681720597[1].htm

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):34771
                                                                                                                                                                                      Entropy (8bit):5.3843653404896905
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:768:Edpqm+0Ih3YAA9CWGIWfcDAoPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ28:Ed8m+0Ih3YAA9CWGIWFoPzzgiJmDzJt/
                                                                                                                                                                                      MD5:B8719A1861962262D390617FEC83C72E
                                                                                                                                                                                      SHA1:1CAFE529AF3EE421C5A478F3404C4748D6D95C4D
                                                                                                                                                                                      SHA-256:A762A4EB54C1E217B0466FCB48B569E5928F0DB2C4E09B07207908EF49F3DA7C
                                                                                                                                                                                      SHA-512:D746C3AAC9045C6EE0D63C4FA24D0B2690992472F0A98A1BF9405919E5A3F6C3EF19AB1DF75472BA6CCCD88325ADCFF8C75E3DA0C4CB33920FE630850629CCB3
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: p5.r https://65.109.242.112|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hr

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2459136
                                                                                                                                                                                      Entropy (8bit):6.052474106868353
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                                                                                                                                                                                      MD5:90E744829865D57082A7F452EDC90DE5
                                                                                                                                                                                      SHA1:833B178775F39675FA4E55EAB1032353514E1052
                                                                                                                                                                                      SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                                                                                                                                                                                      SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 1%, Browse
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):685392
                                                                                                                                                                                      Entropy (8bit):6.872871740790978
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                                                                                                      MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                                                                                                      SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                                                                                                      SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                                                                                                      SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):608080
                                                                                                                                                                                      Entropy (8bit):6.833616094889818
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                                                                                                      MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                                                                                                      SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                                                                                                      SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                                                                                                      SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):450024
                                                                                                                                                                                      Entropy (8bit):6.673992339875127
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                                                                                                      MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                                                                                                      SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                                                                                                      SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                                                                                                      SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):2046288
                                                                                                                                                                                      Entropy (8bit):6.787733948558952
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                                                                                                      MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                                                                                                      SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                                                                                                      SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                                                                                                      SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):257872
                                                                                                                                                                                      Entropy (8bit):6.727482641240852
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                                                                                                      MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                                                                                                      SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                                                                                                      SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                                                                                                      SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

                                                                                                                                                                                      Download File
                                                                                                                                                                                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                      Size (bytes):80880
                                                                                                                                                                                      Entropy (8bit):6.920480786566406
                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                      SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                                                                                                      MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                                                                                                      SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                                                                                                      SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                                                                                                      SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                                                                                                      Malicious:false
                                                                                                                                                                                      Yara Hits:
                                                                                                                                                                                      • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll, Author: Joe Security
                                                                                                                                                                                      Antivirus:
                                                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                      • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                      Static File Info

                                                                                                                                                                                      General

                                                                                                                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                      Entropy (8bit):6.328959132341708
                                                                                                                                                                                      TrID:
                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                      File name:file.exe
                                                                                                                                                                                      File size:1'153'024 bytes
                                                                                                                                                                                      MD5:43b0461d2e1c77a8530d66d3e1ae0175
                                                                                                                                                                                      SHA1:96c50c5b2d652a572e18147e213e8bea38118f94
                                                                                                                                                                                      SHA256:d4536f1b7e5fbfdfe66be6a404147230dcff7728bc559b493d7bdd8e1adaea08
                                                                                                                                                                                      SHA512:4ec4add62526c8f2e2119d6043de7494040c86bdb5cceb973fdfd8131e287e0ef52560626fabc66220de1539531e0592683f5e16cb03f384b08f16b4729ad6bd
                                                                                                                                                                                      SSDEEP:24576:t4HFil+p/dJqGunDHUX/wMsWZfbDR9ceqHKUZAs:t4lzJqGunDH6l59gKUZAs
                                                                                                                                                                                      TLSH:F3359E3139C09176EEE310B787ECBA29866DD0B0075911DF57D85AEED720AC27F32686
                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......t}.50..f0..f0..f.n.g<..f.n.g...f.n.g%..f.n.g3..f0..fm..f...g"..f...g$..f...g...f...g1..f...g1..fRich0..f................PE..L..

                                                                                                                                                                                      File Icon

                                                                                                                                                                                      Icon Hash:90cececece8e8eb0

                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                      General

                                                                                                                                                                                      Entrypoint:0x4011e0
                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                      Subsystem:windows cui
                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                      Time Stamp:0x66408D4D [Sun May 12 09:35:09 2024 UTC]
                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                      OS Version Major:6
                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                      File Version Major:6
                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                      Subsystem Version Major:6
                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                      Import Hash:0d00e7b5922fb5549ed71add897d60ba

                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                      Instruction
                                                                                                                                                                                      jmp 00007FAC310FD3ABh
                                                                                                                                                                                      jmp 00007FAC311239D7h
                                                                                                                                                                                      jmp 00007FAC310FC8B3h
                                                                                                                                                                                      jmp 00007FAC311058D1h
                                                                                                                                                                                      jmp 00007FAC310EF8AAh
                                                                                                                                                                                      jmp 00007FAC310D9D91h
                                                                                                                                                                                      jmp 00007FAC311626A2h
                                                                                                                                                                                      jmp 00007FAC310EFE57h
                                                                                                                                                                                      jmp 00007FAC31124755h
                                                                                                                                                                                      jmp 00007FAC311672C4h
                                                                                                                                                                                      jmp 00007FAC310D5119h
                                                                                                                                                                                      jmp 00007FAC310FDF8Ah
                                                                                                                                                                                      jmp 00007FAC310D3DADh
                                                                                                                                                                                      jmp 00007FAC3110E3FEh
                                                                                                                                                                                      jmp 00007FAC310E824Ah
                                                                                                                                                                                      jmp 00007FAC310CBF95h
                                                                                                                                                                                      jmp 00007FAC31111C16h
                                                                                                                                                                                      jmp 00007FAC310D7551h
                                                                                                                                                                                      jmp 00007FAC310D0556h
                                                                                                                                                                                      jmp 00007FAC3115363Ah
                                                                                                                                                                                      jmp 00007FAC310CB7CCh
                                                                                                                                                                                      jmp 00007FAC310CAAD7h
                                                                                                                                                                                      jmp 00007FAC3111EEEEh
                                                                                                                                                                                      jmp 00007FAC3113B876h
                                                                                                                                                                                      jmp 00007FAC310EC40Eh
                                                                                                                                                                                      jmp 00007FAC3115F3EAh
                                                                                                                                                                                      jmp 00007FAC3112CED2h
                                                                                                                                                                                      jmp 00007FAC310F805Ch
                                                                                                                                                                                      jmp 00007FAC3110648Ch
                                                                                                                                                                                      jmp 00007FAC310CE65Fh
                                                                                                                                                                                      jmp 00007FAC31137680h
                                                                                                                                                                                      jmp 00007FAC31160134h
                                                                                                                                                                                      jmp 00007FAC310E6219h
                                                                                                                                                                                      jmp 00007FAC310FE8E3h
                                                                                                                                                                                      jmp 00007FAC31111BD2h
                                                                                                                                                                                      jmp 00007FAC3115BB26h
                                                                                                                                                                                      jmp 00007FAC3114A613h
                                                                                                                                                                                      jmp 00007FAC310CB44Ah
                                                                                                                                                                                      jmp 00007FAC3114778Eh
                                                                                                                                                                                      jmp 00007FAC310E8733h

                                                                                                                                                                                      Data Directories

                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1171e80x28.idata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x1190000x4a98.reloc
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xcc0700x38.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xcbf880x40.rdata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x1170000x1e8.idata
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                      Sections

                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                      .text0x10000xbc1630xbc200b725058dd53b7d7dedb65938fce17658False0.3306945598006645data5.789897639087584IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .bss0xbe0000xd7b0xe0074d38ec06459bd131b05e4b9c14491d4False0.45982142857142855data5.465199311557537IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .rdata0xbf0000x156d70x15800cefbc46009fd83df37132eaff20d485bFalse0.2858489280523256DIY-Thermocam raw data (Lepton 3.x), scale 28160-24832, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 10141204801825835211973625643008.000000, slope 148078355747941908480.0000003.698556344652708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .data0xd50000x41efc0x4040027b49b746c2806fd7f8c16b5cfd5ab85False0.8076133876459144data7.203012112153988IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                      .idata0x1170000xc850xe002f5de5d5db33e473a3669f61cedae18aFalse0.330078125data4.394738779870993IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .00cfg0x1180000x10e0x200dd7371b36f5a16d74de96b27a869ea73False0.03515625data0.11055713125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                      .reloc0x1190000x57c90x580006eb18e3f1b1c805484fb0d559442570False0.6424893465909091data6.073709849462629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                      Imports

                                                                                                                                                                                      DLLImport
                                                                                                                                                                                      KERNEL32.dllWaitForSingleObject, ExitProcess, CreateThread, VirtualAlloc, GetModuleHandleA, GetProcAddress, FreeConsole, FormatMessageA, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, LocalFree, GetLocaleInfoEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, GetCurrentThread, HeapFree, HeapAlloc, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, SetConsoleCtrlHandler, GetTimeZoneInformation, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, CreateFileW, HeapSize, SetEndOfFile

                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      May 12, 2024 12:46:52.401218891 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.401262045 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:52.401319981 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.408319950 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.408334970 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:52.743246078 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:52.743346930 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.791008949 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.791027069 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:52.791277885 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:52.791338921 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.794734955 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:52.836123943 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.238809109 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.238827944 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.238868952 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.238902092 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.238919973 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.238945007 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.238969088 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.397507906 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.397555113 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.397593975 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.397608995 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.397620916 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.397648096 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.425898075 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.425934076 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.425955057 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.425967932 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.426009893 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.518044949 CEST49730443192.168.2.423.195.238.96
                                                                                                                                                                                      May 12, 2024 12:46:53.518065929 CEST4434973023.195.238.96192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.532818079 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:53.532849073 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:53.532910109 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:53.533174992 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:53.533186913 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:54.552495003 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:54.552571058 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:54.557092905 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:54.557105064 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:54.557327986 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:54.557385921 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:54.558120012 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:54.600116014 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.201886892 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.201947927 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.202071905 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.204788923 CEST49731443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.204799891 CEST4434973165.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.207150936 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.207179070 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.207261086 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.207463026 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.207478046 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.868297100 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.868391037 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.868787050 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.868794918 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:55.871567011 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:55.871572018 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:56.951169014 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:56.951231956 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:56.951417923 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.951419115 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.951646090 CEST49732443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.951658010 CEST4434973265.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:56.953077078 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.953114033 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:56.953176975 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.953427076 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:56.953437090 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:57.605804920 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:57.605874062 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:57.606493950 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:57.606507063 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:57.608217955 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:57.608222008 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.679732084 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.679753065 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.679826975 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.679910898 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:58.680149078 CEST49733443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:58.680166006 CEST4434973365.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.681684017 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:58.681715012 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:58.681797981 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:58.682025909 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:58.682040930 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:59.340619087 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:59.340712070 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:59.341113091 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:59.341121912 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:46:59.342811108 CEST49734443192.168.2.465.109.242.112
                                                                                                                                                                                      May 12, 2024 12:46:59.342816114 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:47:00.434700012 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:47:00.434722900 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:47:00.434777021 CEST4434973465.109.242.112192.168.2.4
                                                                                                                                                                                      May 12, 2024 12:47:00.434803009 CEST49734443192.168.2.465.109.242.112

                                                                                                                                                                                      UDP Packets

                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                      May 12, 2024 12:46:52.229378939 CEST4996353192.168.2.41.1.1.1
                                                                                                                                                                                      May 12, 2024 12:46:52.392379999 CEST53499631.1.1.1192.168.2.4

                                                                                                                                                                                      DNS Queries

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                      May 12, 2024 12:46:52.229378939 CEST192.168.2.41.1.1.10xea63Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                                                                                                                      DNS Answers

                                                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                      May 12, 2024 12:46:52.392379999 CEST1.1.1.1192.168.2.40xea63No error (0)steamcommunity.com23.195.238.96A (IP address)IN (0x0001)false

                                                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                                                      • steamcommunity.com
                                                                                                                                                                                      • 65.109.242.112

                                                                                                                                                                                      Statistics

                                                                                                                                                                                      Behavior

                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                      System Behavior

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                      Start time:12:46:50
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                      Imagebase:0x630000
                                                                                                                                                                                      File size:1'153'024 bytes
                                                                                                                                                                                      MD5 hash:43B0461D2E1C77A8530D66D3E1AE0175
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1610588292.0000000000705000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:1
                                                                                                                                                                                      Start time:12:46:50
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                      Start time:12:46:51
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                      Imagebase:0x890000
                                                                                                                                                                                      File size:65'440 bytes
                                                                                                                                                                                      MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2170451919.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                      • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2171023727.0000000000F80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:6
                                                                                                                                                                                      Start time:12:47:46
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAAKJJDAAK" & exit
                                                                                                                                                                                      Imagebase:0x240000
                                                                                                                                                                                      File size:236'544 bytes
                                                                                                                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:7
                                                                                                                                                                                      Start time:12:47:47
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                                                                                      File size:862'208 bytes
                                                                                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      General

                                                                                                                                                                                      Target ID:8
                                                                                                                                                                                      Start time:12:47:47
                                                                                                                                                                                      Start date:12/05/2024
                                                                                                                                                                                      Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                      Commandline:timeout /t 10
                                                                                                                                                                                      Imagebase:0xf50000
                                                                                                                                                                                      File size:25'088 bytes
                                                                                                                                                                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                      Reputation:high
                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                      Disassembly

                                                                                                                                                                                      No disassembly