Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1519663
MD5:	e02a6087d9257c00071b3cc1508a95ef
SHA1:	8081f2bd757d470e08711133cfb7a4ca17f2fb1f
SHA256:	e0f1b468770374dc01046cd48f25609b5e04724a79323a049f02673ea0bcc811
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://5.75.211.162/mozglue.dll9ap	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dll7az	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ECGCAEBFI	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/apiR	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ff	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll_a	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiES	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dllia	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dllAa	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/-	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dllga	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/L	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllW1	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dllmc	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "fragnantbui.shop", "drawzhotdog.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\FIEHIIIJDA.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	4_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6C096C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	12_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	12_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	12_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	12_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	12_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	12_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	12_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	12_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	12_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:50647 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:57503 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:61063 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:65058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:60331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:63469 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:53384 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:60357 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:49751 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49719
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49762
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.162.108 172.67.162.108
Source: Joe Sandbox View	IP Address: 172.67.132.32 172.67.132.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49764 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49749 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49765 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49766 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49739 -> 172.105.54.160:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49743 -> 172.105.54.160:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5753Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGIIJDGHCAKFHJEHCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 113457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5637Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3209Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

4_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: error #D12nline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: dbsmena.com
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.CGCBKECAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgAEB
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAAAEB
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788378705.000000002236D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/-
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ECGCAEBFI
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/L
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ff
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllia
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll9ap
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll_a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll7az
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllAa
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/q
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dllga
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll%
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllW1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllmc
Source: RegAsm.exe, 00000010.00000002.3151894747.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162FBGHC
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162IJKFB
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162JDAKF
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162ta
Source: EGIDHD.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/R
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: EGIDHD.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/M
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exeent-Disposition:
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exe
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exeK
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exetent-Disposition:
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiES
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: AKEGII.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.co
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/X
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/b_
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/l
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900J
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Zr
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/apiR
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EGIDHD.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EGIDHD.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411F55 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

4_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: vdshfd[1].exe.4.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	4_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C0EB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB8C0 rand_s,NtQueryVirtualMemory,	4_2_6C0EB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6C0EB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C08F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00950C40	0_2_00950C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D933	4_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D1C3	4_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C472	4_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D561	4_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041950A	4_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042DD1B	4_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042CD2E	4_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041B712	4_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0835A0	4_2_6C0835A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FAC00	4_2_6C0FAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5C10	4_2_6C0C5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2C10	4_2_6C0D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F542B	4_2_6C0F542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C095440	4_2_6C095440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F545C	4_2_6C0F545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80	4_2_6C096C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E34A0	4_2_6C0E34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EC4A0	4_2_6C0EC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0964C0	4_2_6C0964C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD4D0	4_2_6C0AD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08D4E0	4_2_6C08D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C6CF0	4_2_6C0C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FD00	4_2_6C09FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B0512	4_2_6C0B0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AED10	4_2_6C0AED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C0DD0	4_2_6C0C0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E85F0	4_2_6C0E85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D5600	4_2_6C0D5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7E10	4_2_6C0C7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E9E30	4_2_6C0E9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2E4E	4_2_6C0D2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A4640	4_2_6C0A4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A9E50	4_2_6C0A9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C3E50	4_2_6C0C3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F6E63	4_2_6C0F6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C670	4_2_6C08C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EE680	4_2_6C0EE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A5E90	4_2_6C0A5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E4EA0	4_2_6C0E4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F76E3	4_2_6C0F76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08BEF0	4_2_6C08BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FEF0	4_2_6C09FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C099F00	4_2_6C099F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7710	4_2_6C0C7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D77A0	4_2_6C0D77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08DFE0	4_2_6C08DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B6FF0	4_2_6C0B6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C097810	4_2_6C097810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CB820	4_2_6C0CB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D4820	4_2_6C0D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A8850	4_2_6C0A8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD850	4_2_6C0AD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CF070	4_2_6C0CF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B60A0	4_2_6C0B60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F50C7	4_2_6C0F50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AC0E0	4_2_6C0AC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C58E0	4_2_6C0C58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AA940	4_2_6C0AA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09D960	4_2_6C09D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0DB970	4_2_6C0DB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FB170	4_2_6C0FB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5190	4_2_6C0C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E2990	4_2_6C0E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C9A0	4_2_6C08C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BD9B0	4_2_6C0BD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C9A60	4_2_6C0C9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FBA90	4_2_6C0FBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0822A0	4_2_6C0822A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B4AA0	4_2_6C0B4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09CAB0	4_2_6C09CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F2AB0	4_2_6C0F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C8AC0	4_2_6C0C8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A1AF0	4_2_6C0A1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CE2F0	4_2_6C0CE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CD320	4_2_6C0CD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C085340	4_2_6C085340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09C370	4_2_6C09C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F380	4_2_6C08F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F53C8	4_2_6C0F53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C20AC30	4_2_6C20AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1F6C00	4_2_6C1F6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AC60	4_2_6C13AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C18ECD0	4_2_6C18ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C12ECC0	4_2_6C12ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2B8D20	4_2_6C2B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1FED70	4_2_6C1FED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C25AD50	4_2_6C25AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1C6D90	4_2_6C1C6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C134DB0	4_2_6C134DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2BCDC0	4_2_6C2BCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C210E20	4_2_6C210E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1CEE70	4_2_6C1CEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1B6E90	4_2_6C1B6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AEC0	4_2_6C13AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1D0EC0	4_2_6C1D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C136F10	4_2_6C136F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270F20	4_2_6C270F20
Source: C:\ProgramData\FBFHJJJDAF.exe	Code function: 7_2_00790C40	7_2_00790C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004103A8	12_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447D38	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004480B0	12_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449120	12_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C1C0	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D250	12_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A231	12_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A230	12_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012C7	12_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004452E0	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415352	12_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407450	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405470	12_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409402	12_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004404AB	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A510	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004115B0	12_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D610	12_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449620	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A6E0	12_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B6B0	12_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043F700	12_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041E71A	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044B720	12_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004087F0	12_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00428833	12_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004338C0	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004408E6	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004038A0	12_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434990	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040ABA0	12_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042EBBC	12_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437CD0	12_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449D22	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407E50	12_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427E6C	12_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437F30	12_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042DFE0	12_2_0042DFE0
Source: C:\ProgramData\FIEHIIIJDA.exe	Code function: 13_2_01110C40	13_2_01110C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE34CF0	16_2_1FE34CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE366C0	16_2_1FE366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE66E80	16_2_1FE66E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE5CE10	16_2_1FE5CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4A560	16_2_1FE4A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2D57C	16_2_1FE2D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE51C50	16_2_1FE51C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4BAB0	16_2_1FE4BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2EA80	16_2_1FE2EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2F160	16_2_1FE2F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE39000	16_2_1FE39000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE57810	16_2_1FE57810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB16D0	16_2_1FFB16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAFD50	16_2_1FFAFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89CC0	16_2_1FF89CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89430	16_2_1FF89430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA33E0	16_2_1FFA33E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF9DB30	16_2_1FF9DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8A2C0	16_2_1FF8A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA61E0	16_2_1FFA61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB3920	16_2_1FFB3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAD100	16_2_1FFAD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8F8D0	16_2_1FF8F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFD4FB2	16_2_1FFD4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB5F40	16_2_1FFB5F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFAEBE	16_2_1FFFAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2001226A	16_2_2001226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019390	16_2_20019390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019A20	16_2_20019A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019F80	16_2_20019F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0EE90	16_2_1FF0EE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF7E90	16_2_1FEF7E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFEE20	16_2_1FEFEE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0D10	16_2_1FEF0D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2CF0	16_2_1FEF2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0C70	16_2_1FEB0C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99C20	16_2_1FE99C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEDB40	16_2_1FEEDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24A60	16_2_1FF24A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF49A20	16_2_1FF49A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99A10	16_2_1FE99A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF069C0	16_2_1FF069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE94970	16_2_1FE94970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19950	16_2_1FF19950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED5940	16_2_1FED5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A940	16_2_1FF1A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF3A900	16_2_1FF3A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF02870	16_2_1FF02870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED9860	16_2_1FED9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF5E800	16_2_1FF5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF4F790	16_2_1FF4F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB8760	16_2_1FEB8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEE9770	16_2_1FEE9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDD6D0	16_2_1FEDD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC9690	16_2_1FEC9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEBE630	16_2_1FEBE630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEE5C0	16_2_1FEEE5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF685A0	16_2_1FF685A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A590	16_2_1FF1A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF18520	16_2_1FF18520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF37510	16_2_1FF37510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF424C0	16_2_1FF424C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFA470	16_2_1FEFA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF14440	16_2_1FF14440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA2450	16_2_1FEA2450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FECB3A0	16_2_1FECB3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB53B0	16_2_1FEB53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC2390	16_2_1FEC2390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0350	16_2_1FEB0350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEA330	16_2_1FEEA330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1E2E0	16_2_1FF1E2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19190	16_2_1FF19190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA8120	16_2_1FEA8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF01129	16_2_1FF01129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0110	16_2_1FEF0110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDE0D0	16_2_1FEDE0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2090	16_2_1FEF2090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFB040	16_2_1FEFB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF45040	16_2_1FF45040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF48030	16_2_1FF48030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEB020	16_2_1FEEB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0D020	16_2_1FF0D020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24020	16_2_1FF24020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF5030	16_2_1FEF5030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE93000	16_2_1FE93000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED7010	16_2_1FED7010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFBD7C0	16_2_1FFBD7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE9BE60	16_2_1FE9BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF6CC30	16_2_1FF6CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA39A0	16_2_1FEA39A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF085C0	16_2_1FF085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF9490	16_2_1FEF9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEAD030	16_2_1FEAD030

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBFHJJJDAF.exe 7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
Source: Joe Sandbox View	Dropped File: C:\ProgramData\FIEHIIIJDA.exe F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0BCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0C94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2B09D0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2051620389.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FBFHJJJDAF.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ljhgfsd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FIEHIIIJDA.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vdshfd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/35@14/10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_6C0E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6C0E7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00411807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

4_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\FIEHIIIJDA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001129000.00000004.00000020.00020000.00000000.sdmp, ECFHIJ.16.dr, AKJDGI.4.dr, GHJDBA.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00418950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_00418950

PE file contains sections with non-standard names

Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F142 push ecx; ret	4_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00422D3B push esi; ret	4_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041DDB5 push ecx; ret	4_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432715 push 0000004Ch; iretd	4_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB536 push ecx; ret	4_2_6C0BB549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438B7E push cs; iretd	12_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE629DE push edi; retn 0000h	16_2_1FE629E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF93C51 push es; retf	16_2_1FF93C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFCA45D push esi; ret	16_2_1FFCA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFC4BF0 push ecx; ret	16_2_1FFC4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2000F456 push ebx; ret	16_2_2000F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFDB66 push esp; retf	16_2_1FFFDB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFD568 push esp; retf	16_2_1FFFD570

Source: file.exe	Static PE information: section name: .text entropy: 7.995579707906101
Source: FBFHJJJDAF.exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: ljhgfsd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: FIEHIIIJDA.exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472
Source: vdshfd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened / queried: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe

Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

4_2_0040180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe TID: 1680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5644	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe TID: 1524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2604	Thread sleep count: 83 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

4_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410FBA GetSystemInfo,wsprintfA,

4_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe>\)
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: R1219056https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: IJDHCB.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: IJDHCB.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: IJDHCB.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: IJDHCB.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: IJDHCB.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe\*
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1219056\|https://dbsmena.com/ljhgfsd.exe\|1\|kkkk\|1219057\|https://dbsmena.com/vdshfd.exe\|1\|kkkk\|
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Thttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"
Source: IJDHCB.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(k
Source: IJDHCB.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exes
Source: IJDHCB.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004476D0 LdrInitializeThunk,

12_2_004476D0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0041D016

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]	4_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]	4_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]	4_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]	4_2_0041859A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040884C CopyFileA,GetProcessHeap,RtlAllocateHeap,StrCmpCA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,DeleteFileA,

4_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042762E SetUnhandledExceptionFilter,	4_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C0BB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C0BB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C26AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C26AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02462131 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02462131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8DA008	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11A7008	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA2008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040111D cpuid

4_2_0040111D

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	4_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	4_2_0042E6A4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Queries volume information: C:\ProgramData\FBFHJJJDAF.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Queries volume information: C:\ProgramData\FIEHIIIJDA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

4_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270C40 sqlite3_bind_zeroblob,	4_2_6C270C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270D60 sqlite3_bind_parameter_name,	4_2_6C270D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C198EA0 sqlite3_clear_bindings,	4_2_6C198EA0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
172.67.132.32	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	true
104.21.2.13	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
5.75.211.162	unknown	Germany	24940	HETZNER-ASDE	true
172.105.54.160	dbsmena.com	United States	63949	LINODE-APLinodeLLCUS	false
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true
172.67.208.139	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
fragnantbui.shop	188.114.96.3	true
gutterydhowi.shop	172.67.132.32	true
steamcommunity.com	104.102.49.254	true
cowod.hopto.org	45.132.206.251	true
offensivedzvju.shop	188.114.97.3	true
stogeneratmns.shop	188.114.97.3	true
reinforcenh.shop	172.67.208.139	true
drawzhotdog.shop	172.67.162.108	true
ghostreedmnu.shop	188.114.96.3	true
vozmeatillu.shop	188.114.96.3	true
dbsmena.com	172.105.54.160	true
ballotnwu.site	104.21.2.13	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
reinforcenh.shop	true	Avira URL Cloud: malware	unknown
stogeneratmns.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/mozglue.dll	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/freebl3.dll	true	Avira URL Cloud: malware	unknown
https://reinforcenh.shop/api	true	Avira URL Cloud: malware	unknown
ghostreedmnu.shop	true	Avira URL Cloud: malware	unknown
https://5.75.211.162/vcruntime140.dll	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true	Avira URL Cloud: malware	unknown
fragnantbui.shop	true	Avira URL Cloud: malware	unknown
https://offensivedzvju.shop/api	true	Avira URL Cloud: malware	unknown
offensivedzvju.shop	true	Avira URL Cloud: malware	unknown
drawzhotdog.shop	true	Avira URL Cloud: malware	unknown
vozmeatillu.shop	true	Avira URL Cloud: malware	unknown
https://drawzhotdog.shop/api	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://5.75.211.162/mozglue.dll9ap	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dll7az	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ECGCAEBFI	Avira URL Cloud: Label: malware
Source: reinforcenh.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll	Avira URL Cloud: Label: malware
Source: stogeneratmns.shop	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/apiR	Avira URL Cloud: Label: malware
Source: https://reinforcenh.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://steamcommunity.com/profiles/76561199780418869/badges	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/ff	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/mozglue.dll_a	Avira URL Cloud: Label: malware
Source: https://ghostreedmnu.shop/apiES	Avira URL Cloud: Label: malware
Source: ghostreedmnu.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/freebl3.dllia	Avira URL Cloud: Label: malware
Source: https://t.me/ae5ed	Avira URL Cloud: Label: malware
Source: https://vozmeatillu.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/msvcp140.dllAa	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/-	Avira URL Cloud: Label: malware
Source: fragnantbui.shop	Avira URL Cloud: Label: malware
Source: https://offensivedzvju.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/softokn3.dllga	Avira URL Cloud: Label: malware
Source: drawzhotdog.shop	Avira URL Cloud: Label: malware
Source: offensivedzvju.shop	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/L	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/sqlp.dllW1	Avira URL Cloud: Label: malware
Source: vozmeatillu.shop	Avira URL Cloud: Label: malware
Source: https://drawzhotdog.shop/api	Avira URL Cloud: Label: malware
Source: https://5.75.211.162/vcruntime140.dllmc	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "6c8ce6f422a1d9cf34f23d1c2168e754"}
Source: 12.2.RegAsm.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["reinforcenh.shop", "stogeneratmns.shop", "gutterydhowi.shop", "vozmeatillu.shop", "offensivedzvju.shop", "ghostreedmnu.shop", "fragnantbui.shop", "drawzhotdog.shop"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\FIEHIIIJDA.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Sample uses string decryption to hide its real strings

Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	4_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	4_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00411E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	4_2_00411E5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A7D8 _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	4_2_0040A7D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	4_2_6C096C80

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	12_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	12_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	12_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	12_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	12_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	12_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	12_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	12_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	12_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	12_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	12_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	12_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	12_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	12_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	12_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	12_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	12_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	12_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	12_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	12_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	12_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	12_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	12_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	12_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	12_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	12_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	12_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	12_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	12_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	12_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.5:50647 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.5:57503 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.5:61063 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.5:65058 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.5:60331 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.5:63469 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.5:53384 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.5:60357 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.5:49751 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49719
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49720
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49742 -> 172.67.132.32:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49745 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49748 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49750 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49755 -> 104.21.2.13:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49753 -> 172.67.208.139:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 5.75.211.162:443 -> 192.168.2.5:49762
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 5.75.211.162:443 -> 192.168.2.5:49761
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49752 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49752 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199780418869

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 172.67.162.108 172.67.162.108
Source: Joe Sandbox View	IP Address: 172.67.132.32 172.67.132.32

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49718 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49722 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49721 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49719 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49720 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49716 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49717 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49724 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49723 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49726 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49727 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49728 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49729 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49731 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49730 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49725 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49737 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49732 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49735 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49738 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49734 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49733 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49740 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49761 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49746 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49764 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49760 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49763 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49759 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49758 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49762 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49749 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49765 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.5:49766 -> 5.75.211.162:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49739 -> 172.105.54.160:443
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49743 -> 172.105.54.160:443

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDGCFBFBFBKEBGCAFCGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAAFIDGDAAAAAAAAKEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5753Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFCBGCGIJKJKECAKEGCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJEGIIJDGHDGCBGHCAAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGIIJDGHCAKFHJEHCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKFHCFBGIIJKFHJDHDHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBKKFHIEGDHJKECAAKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 461Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 113457Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBFHIEBKJKFHIEBFBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 499Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDHIJDGCBAKFIEGHCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGDGDHDGDBFIDHDBAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHJJECAEHJJKEHIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHIJKJKFIDHJKFBGHCUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 5637Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDBAECGCAFHJJDAKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHCBGCBFHIIDHIJKFBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: cowod.hopto.orgContent-Length: 3209Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162
Source: unknown	TCP traffic detected without corresponding DNS query: 5.75.211.162

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00406963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ljhgfsd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vdshfd.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: dbsmena.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqlp.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0Host: 5.75.211.162Connection: Keep-AliveCache-Control: no-cache

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: dbsmena.com
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site

Source: unknown

Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.CGCBKECAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.CAAAEB
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgAEB
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: RegAsm.exe, 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAAAEB
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net02
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://ocsp.entrust.net03
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, file.exe, freebl3.dll.4.dr, mozglue.dll.4.dr, FIEHIIIJDA.exe.4.dr, softokn3.dll.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr, nss3.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: http://www.entrust.net/rpa03
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788378705.000000002236D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://5.75.211.162
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162.exe
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/-
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ECGCAEBFI
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/L
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/ff
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/freebl3.dllia
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll9ap
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/mozglue.dll_a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dll7az
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/msvcp140.dllAa
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/nss3.dll
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000113D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/q
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/softokn3.dllga
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000055E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dll%
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/sqlp.dllW1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dll
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162/vcruntime140.dllmc
Source: RegAsm.exe, 00000010.00000002.3151894747.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.1620.5938.132
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000005A1000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162FBGHC
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000563000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162IJKFB
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162JDAKF
Source: RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://5.75.211.162ta
Source: EGIDHD.4.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/R
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: EGIDHD.4.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: EGIDHD.4.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=nSnUuYf7g6U1&a
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=PzKBszTg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=WnGP
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=f3vWO7swdDqp&l=english
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=B0lGn8MokmdT&l=e
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=ezWS9te9Zwm9&l=en
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/M
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/ljhgfsd.exeent-Disposition:
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exe
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exeK
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://dbsmena.com/vdshfd.exetent-Disposition:
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: EGIDHD.4.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiES
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: AKEGII.4.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://mozilla.org0/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.co
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/X
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/b_
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: RegAsm.exe, 0000000C.00000002.2802203193.0000000001457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/l
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000142A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900J
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001071000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869Zr
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/api
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privac
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KKKJKE.4.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, FIEHIIIJDA.exe, 0000000D.00000002.2725250219.000000000391B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000437000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/apiR
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000F69000.00000004.00000020.00020000.00000000.sdmp, AKEGII.4.dr	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr, mozglue.dll.4.dr, softokn3.dll.4.dr, nss3.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: EGIDHD.4.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, file.exe, FIEHIIIJDA.exe.4.dr, ljhgfsd[1].exe.4.dr, vdshfd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: EGIDHD.4.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000004.00000002.2778828032.000000001BDFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: KKKJKE.4.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004F6000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004FE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C2000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004C8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E1000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004CE000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000516000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000052D000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000051F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.000000000050E000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004DA000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004E8000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000506000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004D4000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.0000000000528000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3151894747.00000000004EF000.00000040.00000400.00020000.00000000.sdmp, 76561199780418869[1].htm.16.dr, 76561199780418869[1].htm.4.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 0000000C.00000002.2801859666.000000000144E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.105.54.160:443 -> 192.168.2.5:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.132.32:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.208.139:443 -> 192.168.2.5:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.2.13:443 -> 192.168.2.5:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.75.211.162:443 -> 192.168.2.5:49758 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Contains functionality to read the clipboard data

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

12_2_00439BD0

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00411F55

System Summary

.NET source code contains very large array initializations

Source: file.exe, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216
Source: vdshfd[1].exe.4.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 393216

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040145B GetCurrentProcess,NtQueryInformationProcess,	4_2_0040145B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C0EB700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB8C0 rand_s,NtQueryVirtualMemory,	4_2_6C0EB8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	4_2_6C0EB910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	4_2_6C08F280

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00950C40	0_2_00950C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D933	4_2_0042D933
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D1C3	4_2_0042D1C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041C472	4_2_0041C472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042D561	4_2_0042D561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041950A	4_2_0041950A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042DD1B	4_2_0042DD1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042CD2E	4_2_0042CD2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041B712	4_2_0041B712
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0835A0	4_2_6C0835A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FAC00	4_2_6C0FAC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5C10	4_2_6C0C5C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2C10	4_2_6C0D2C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F542B	4_2_6C0F542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C095440	4_2_6C095440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F545C	4_2_6C0F545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C096C80	4_2_6C096C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E34A0	4_2_6C0E34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EC4A0	4_2_6C0EC4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0964C0	4_2_6C0964C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD4D0	4_2_6C0AD4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08D4E0	4_2_6C08D4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C6CF0	4_2_6C0C6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FD00	4_2_6C09FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B0512	4_2_6C0B0512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AED10	4_2_6C0AED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C0DD0	4_2_6C0C0DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E85F0	4_2_6C0E85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D5600	4_2_6C0D5600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7E10	4_2_6C0C7E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E9E30	4_2_6C0E9E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D2E4E	4_2_6C0D2E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A4640	4_2_6C0A4640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A9E50	4_2_6C0A9E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C3E50	4_2_6C0C3E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F6E63	4_2_6C0F6E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C670	4_2_6C08C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0EE680	4_2_6C0EE680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A5E90	4_2_6C0A5E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E4EA0	4_2_6C0E4EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F76E3	4_2_6C0F76E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08BEF0	4_2_6C08BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09FEF0	4_2_6C09FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C099F00	4_2_6C099F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C7710	4_2_6C0C7710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D77A0	4_2_6C0D77A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08DFE0	4_2_6C08DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B6FF0	4_2_6C0B6FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C097810	4_2_6C097810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CB820	4_2_6C0CB820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0D4820	4_2_6C0D4820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A8850	4_2_6C0A8850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AD850	4_2_6C0AD850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CF070	4_2_6C0CF070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B60A0	4_2_6C0B60A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F50C7	4_2_6C0F50C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AC0E0	4_2_6C0AC0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C58E0	4_2_6C0C58E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0AA940	4_2_6C0AA940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09D960	4_2_6C09D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0DB970	4_2_6C0DB970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FB170	4_2_6C0FB170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C5190	4_2_6C0C5190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0E2990	4_2_6C0E2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08C9A0	4_2_6C08C9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BD9B0	4_2_6C0BD9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C9A60	4_2_6C0C9A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0FBA90	4_2_6C0FBA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0822A0	4_2_6C0822A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0B4AA0	4_2_6C0B4AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09CAB0	4_2_6C09CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F2AB0	4_2_6C0F2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0C8AC0	4_2_6C0C8AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0A1AF0	4_2_6C0A1AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CE2F0	4_2_6C0CE2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0CD320	4_2_6C0CD320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C085340	4_2_6C085340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C09C370	4_2_6C09C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C08F380	4_2_6C08F380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0F53C8	4_2_6C0F53C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C20AC30	4_2_6C20AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1F6C00	4_2_6C1F6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AC60	4_2_6C13AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C18ECD0	4_2_6C18ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C12ECC0	4_2_6C12ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2B8D20	4_2_6C2B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1FED70	4_2_6C1FED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C25AD50	4_2_6C25AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1C6D90	4_2_6C1C6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C134DB0	4_2_6C134DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C2BCDC0	4_2_6C2BCDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C210E20	4_2_6C210E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1CEE70	4_2_6C1CEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1B6E90	4_2_6C1B6E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C13AEC0	4_2_6C13AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C1D0EC0	4_2_6C1D0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C136F10	4_2_6C136F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270F20	4_2_6C270F20
Source: C:\ProgramData\FBFHJJJDAF.exe	Code function: 7_2_00790C40	7_2_00790C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004103A8	12_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00447D38	12_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00401000	12_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004480B0	12_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449120	12_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040C1C0	12_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042D250	12_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A231	12_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A230	12_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004012C7	12_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004452E0	12_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00415352	12_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407450	12_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00405470	12_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00409402	12_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004404AB	12_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044A510	12_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004115B0	12_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041D610	12_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449620	12_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040A6E0	12_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040B6B0	12_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0043F700	12_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0041E71A	12_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0044B720	12_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004087F0	12_2_004087F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00428833	12_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004338C0	12_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004408E6	12_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_004038A0	12_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00434990	12_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0040ABA0	12_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042EBBC	12_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437CD0	12_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00449D22	12_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00407E50	12_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00427E6C	12_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00437F30	12_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_0042DFE0	12_2_0042DFE0
Source: C:\ProgramData\FIEHIIIJDA.exe	Code function: 13_2_01110C40	13_2_01110C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE34CF0	16_2_1FE34CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE366C0	16_2_1FE366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE66E80	16_2_1FE66E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE5CE10	16_2_1FE5CE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4A560	16_2_1FE4A560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2D57C	16_2_1FE2D57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE51C50	16_2_1FE51C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE4BAB0	16_2_1FE4BAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2EA80	16_2_1FE2EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE2F160	16_2_1FE2F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE39000	16_2_1FE39000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE57810	16_2_1FE57810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB16D0	16_2_1FFB16D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAFD50	16_2_1FFAFD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89CC0	16_2_1FF89CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF89430	16_2_1FF89430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA33E0	16_2_1FFA33E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF9DB30	16_2_1FF9DB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8A2C0	16_2_1FF8A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFA61E0	16_2_1FFA61E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB3920	16_2_1FFB3920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFAD100	16_2_1FFAD100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF8F8D0	16_2_1FF8F8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFD4FB2	16_2_1FFD4FB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFB5F40	16_2_1FFB5F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFAEBE	16_2_1FFFAEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2001226A	16_2_2001226A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019390	16_2_20019390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019A20	16_2_20019A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_20019F80	16_2_20019F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0EE90	16_2_1FF0EE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF7E90	16_2_1FEF7E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFEE20	16_2_1FEFEE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0D10	16_2_1FEF0D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2CF0	16_2_1FEF2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0C70	16_2_1FEB0C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99C20	16_2_1FE99C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEDB40	16_2_1FEEDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24A60	16_2_1FF24A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF49A20	16_2_1FF49A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE99A10	16_2_1FE99A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF069C0	16_2_1FF069C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE94970	16_2_1FE94970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19950	16_2_1FF19950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED5940	16_2_1FED5940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A940	16_2_1FF1A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF3A900	16_2_1FF3A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF02870	16_2_1FF02870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED9860	16_2_1FED9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF5E800	16_2_1FF5E800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF4F790	16_2_1FF4F790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB8760	16_2_1FEB8760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEE9770	16_2_1FEE9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDD6D0	16_2_1FEDD6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC9690	16_2_1FEC9690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEBE630	16_2_1FEBE630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEE5C0	16_2_1FEEE5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF685A0	16_2_1FF685A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1A590	16_2_1FF1A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF18520	16_2_1FF18520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF37510	16_2_1FF37510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF424C0	16_2_1FF424C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFA470	16_2_1FEFA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF14440	16_2_1FF14440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA2450	16_2_1FEA2450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FECB3A0	16_2_1FECB3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB53B0	16_2_1FEB53B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEC2390	16_2_1FEC2390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEB0350	16_2_1FEB0350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEA330	16_2_1FEEA330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF1E2E0	16_2_1FF1E2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF19190	16_2_1FF19190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA8120	16_2_1FEA8120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF01129	16_2_1FF01129
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF0110	16_2_1FEF0110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEDE0D0	16_2_1FEDE0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF2090	16_2_1FEF2090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEFB040	16_2_1FEFB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF45040	16_2_1FF45040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF48030	16_2_1FF48030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEEB020	16_2_1FEEB020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF0D020	16_2_1FF0D020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF24020	16_2_1FF24020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF5030	16_2_1FEF5030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE93000	16_2_1FE93000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FED7010	16_2_1FED7010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFBD7C0	16_2_1FFBD7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE9BE60	16_2_1FE9BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF6CC30	16_2_1FF6CC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEA39A0	16_2_1FEA39A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF085C0	16_2_1FF085C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEF9490	16_2_1FEF9490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FEAD030	16_2_1FEAD030

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\FBFHJJJDAF.exe 7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
Source: Joe Sandbox View	Dropped File: C:\ProgramData\FIEHIIIJDA.exe F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0BCBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00410609 appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C0C94D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 6C2B09D0 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004104E7 appears 36 times

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000002.2051620389.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameVQP.exeD vs file.exe

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FBFHJJJDAF.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ljhgfsd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FIEHIIIJDA.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: vdshfd[1].exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@29/35@14/10

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_6C0E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

4_2_6C0E7030

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004114A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_004114A5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00411807

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\ProgramData\FIEHIIIJDA.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4028:120:WilError_03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: RegAsm.exe, 00000010.00000002.3154731112.0000000001129000.00000004.00000020.00020000.00000000.sdmp, ECFHIJ.16.dr, AKJDGI.4.dr, GHJDBA.4.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: freebl3.pdb source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: freebl3.pdbp source: RegAsm.exe, 00000004.00000002.2788891835.0000000022A14000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.4.dr
Source:	Binary string: nss3.pdb@ source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: c:\rje\tg\\obj\Release\ojc.pdb source: file.exe
Source:	Binary string: c:\rje\tg\obj\Release\ojc.pdb source: FIEHIIIJDA.exe.4.dr, vdshfd[1].exe.4.dr
Source:	Binary string: c:\rje\tg\12rr6\obj\Release\ojc.pdb source: ljhgfsd[1].exe.4.dr, FBFHJJJDAF.exe.4.dr
Source:	Binary string: softokn3.pdb@ source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: RegAsm.exe, 00000004.00000002.2805489536.000000003A7DE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140.dll.4.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: RegAsm.exe, 00000004.00000002.2798282941.000000002E8F6000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.4.dr
Source:	Binary string: nss3.pdb source: RegAsm.exe, 00000004.00000002.2820023276.000000006C2BF000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000004.00000002.2808642566.0000000040746000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.4.dr
Source:	Binary string: mozglue.pdb source: RegAsm.exe, 00000004.00000002.2817367710.000000006C0FD000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe, 00000004.00000002.2794093889.0000000028985000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.4.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 00000004.00000002.2788058569.0000000022338000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2779917513.000000001C3CE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3172572540.000000002005B000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: softokn3.pdb source: RegAsm.exe, 00000004.00000002.2802216164.0000000034867000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.4.dr

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

PE file contains sections with non-standard names

Source: softokn3.dll.4.dr	Static PE information: section name: .00cfg
Source: nss3.dll.4.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.4.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.4.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.4.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F142 push ecx; ret	4_2_0042F155
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00422D3B push esi; ret	4_2_00422D3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041DDB5 push ecx; ret	4_2_0041DDC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432715 push 0000004Ch; iretd	4_2_00432726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB536 push ecx; ret	4_2_6C0BB549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 12_2_00438B7E push cs; iretd	12_2_00438B85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FE629DE push edi; retn 0000h	16_2_1FE629E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FF93C51 push es; retf	16_2_1FF93C57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFCA45D push esi; ret	16_2_1FFCA45F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFC4BF0 push ecx; ret	16_2_1FFC4C03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_2000F456 push ebx; ret	16_2_2000F457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFDB66 push esp; retf	16_2_1FFFDB67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 16_2_1FFFD568 push esp; retf	16_2_1FFFD570

Source: file.exe	Static PE information: section name: .text entropy: 7.995579707906101
Source: FBFHJJJDAF.exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: ljhgfsd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.995225395636529
Source: FIEHIIIJDA.exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472
Source: vdshfd[1].exe.4.dr	Static PE information: section name: .text entropy: 7.99542204298472

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FBFHJJJDAF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\FIEHIIIJDA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe	Binary or memory string: DIR_WATCH.DLL
Source: RegAsm.exe, 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: RegAsm.exe	Binary or memory string: SBIEDLL.DLL
Source: RegAsm.exe	Binary or memory string: API_LOG.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 2460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 9A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 790000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: 2260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 1110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: 48E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened / queried: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe

Jump to behavior

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

4_2_0040180D

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 9.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 3852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe TID: 1680	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5644	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe TID: 1524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 2604	Thread sleep count: 83 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EEEh

4_2_00410DDB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_0041543D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00414CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,strtok_s,FindNextFileA,FindClose,	4_2_00414CC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00409D1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_0040D5C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B5DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose,	4_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	4_2_0040BF4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	4_2_00415FD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040B93F FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	4_2_0040B93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00415B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	4_2_00415B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose,	4_2_0040CD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00415142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

4_2_00415142

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410FBA GetSystemInfo,wsprintfA,

4_2_00410FBA

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe>\)
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: R1219056https://dbsmena.com/ljhgfsd.exe1kkkk1219057https://dbsmena.com/vdshfd.exe1kkkk97f0d2d0242908
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DDE000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2801859666.0000000001445000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000010.00000002.3154731112.000000000108F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: IJDHCB.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: IJDHCB.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: IJDHCB.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: IJDHCB.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: IJDHCB.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: https://dbsmena.com/ljhgfsd.exe
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: IJDHCB.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: IJDHCB.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: IJDHCB.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: IJDHCB.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: RegAsm.exe, 0000000C.00000002.2802203193.000000000146E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW"6
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe\*
Source: RegAsm.exe, 00000010.00000002.3154731112.000000000102A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1219056\|https://dbsmena.com/ljhgfsd.exe\|1\|kkkk\|1219057\|https://dbsmena.com/vdshfd.exe\|1\|kkkk\|
Source: IJDHCB.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000046B000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: Thttps://dbsmena.com/ljhgfsd.exeent-Disposition: form-data; name="token"
Source: IJDHCB.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(k
Source: IJDHCB.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exes
Source: IJDHCB.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 12_2_004476D0 LdrInitializeThunk,

12_2_004476D0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

4_2_0041D016

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_00418950

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014AD mov eax, dword ptr fs:[00000030h]	4_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040148A mov eax, dword ptr fs:[00000030h]	4_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004014A2 mov eax, dword ptr fs:[00000030h]	4_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00418599 mov eax, dword ptr fs:[00000030h]	4_2_00418599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041859A mov eax, dword ptr fs:[00000030h]	4_2_0041859A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_0040884C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0041D016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041D98C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042762E SetUnhandledExceptionFilter,	4_2_0042762E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_6C0BB66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C0BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C0BB1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C26AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_6C26AC62

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR

.NET source code references suspicious native API functions

Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\file.exe

0_2_02462131

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: FBFHJJJDAF.exe, 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004124A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_004124A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0041257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		4_2_0041257F

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 8DA008	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 11A7008	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 670000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 671000	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: CA2008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FBFHJJJDAF.exe "C:\ProgramData\FBFHJJJDAF.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\ProgramData\FIEHIIIJDA.exe "C:\ProgramData\FIEHIIIJDA.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IIDHJDGCGDAA" & exit	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0040111D cpuid

4_2_0040111D

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	4_2_00410DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0042B0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_0042B1C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	4_2_0042B268
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	4_2_0042B2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	4_2_0042AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	4_2_004253E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_0042B494
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	4_2_0042749C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesA,	4_2_0042B556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	4_2_00429D6E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	4_2_0042E56F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00427576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_00428DC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_0042B580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	4_2_0042B623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	4_2_0042E6A4

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\FBFHJJJDAF.exe	Queries volume information: C:\ProgramData\FBFHJJJDAF.exe VolumeInformation	Jump to behavior
Source: C:\ProgramData\FIEHIIIJDA.exe	Queries volume information: C:\ProgramData\FIEHIIIJDA.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0041C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

4_2_0041C0E9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410C53 GetProcessHeap,HeapAlloc,GetUserNameA,

4_2_00410C53

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00410D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

4_2_00410D2E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: Exodus
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: RegAsm.exe, 00000004.00000002.2770019694.0000000000D70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000004.00000002.2766039693.000000000063A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000004.00000002.2766039693.00000000005A1000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2680623811.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2800620495.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.3465570.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2053339176.0000000003465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2766039693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2770019694.0000000000DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 368, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6696, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270C40 sqlite3_bind_zeroblob,	4_2_6C270C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C270D60 sqlite3_bind_parameter_name,	4_2_6C270D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_6C198EA0 sqlite3_clear_bindings,	4_2_6C198EA0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1519663
Product:	CloudBasic
Start time:	20:13:08
Start date:	26.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e02a6087d9257c00071b3cc1508a95ef
SHA1:	8081f2bd757d470e08711133cfb7a4ca17f2fb1f
SHA256:	e0f1b468770374dc01046cd48f25609b5e04724a79323a049f02673ea0bcc811
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\DHIECGCAEBFI\AFHDBG	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\DHIECGCAEBFI\ECFHIJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\DHIECGCAEBFI\KJDGDB	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\ProgramData\FBFHJJJDAF.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	16F5B27C9E1376C17B03BF8C5090DB3C	676145AB7CA93E0463B931E6A056804B8F42119E	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
C:\ProgramData\FIEHIIIJDA.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2CCE29D734EA1D227B338834698E2DE4	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
C:\ProgramData\IIDHJDGCGDAA\AKEGII	ASCII text, with very long lines (1743), with CRLF line terminators	1191AEB8EAFD5B2D5C29DF9B62C45278	584A8B78810AEE6008839EF3F1AC21FD5435B990	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
C:\ProgramData\IIDHJDGCGDAA\AKJDGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\IIDHJDGCGDAA\CBFIJE	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1	52701A76A821CDDBC23FB25C3FCA4968	440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE	D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
C:\ProgramData\IIDHJDGCGDAA\DGCAAA	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\IIDHJDGCGDAA\EGIDHD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	429F49156428FD53EB06FC82088FD324	560E48154B4611838CD4E9DF4C14D0F9840F06AF	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
C:\ProgramData\IIDHJDGCGDAA\GHIJJE	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	9D46F142BBCF25D0D495FF1F3A7609D3	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
C:\ProgramData\IIDHJDGCGDAA\GHJDBA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\IIDHJDGCGDAA\HIDGCF	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\IIDHJDGCGDAA\IJDHCB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
C:\ProgramData\IIDHJDGCGDAA\JDGCFB	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\IIDHJDGCGDAA\JDGCFB-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\IIDHJDGCGDAA\KKKJKE	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	D2A38A463B7925FE3ABE31ECCCE66ACA	A1824888F9E086439B287DEA497F660F3AA4B397	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
C:\ProgramData\IIDHJDGCGDAA\KKKJKE-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FBFHJJJDAF.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FIEHIIIJDA.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log	CSV text	859802284B12C59DDBB85B0AC64C08F0	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\76561199780418869[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	2779AF06DD91BC5E0232E82E278E976D	901062B1B8B2E7F6CF2474CC08D0AC661934ED79	40A89094F0DCC5258C0F164D355CBBD36A8E7F986A6FB533C6E58252842AD338
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ljhgfsd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	16F5B27C9E1376C17B03BF8C5090DB3C	676145AB7CA93E0463B931E6A056804B8F42119E	7952E7769A991C349CC092B9CB3D1505405E793B526F49C784C343DD7D3CD227
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vdshfd[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2CCE29D734EA1D227B338834698E2DE4	41700CD1BCF5F5BCCA81CE722ED47FC17BD030C2	F75ACF936390F89239C43552717EFB65C4C3190B16A7EEC62DCD0053A045E91D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199780418869[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators	01E4C33FB1D212CD6ED5A7AC8C7A8A3A	4822AB3BF11B4AE4AB0825DDE2860BD869D5D778	2B2278E92AE879070F2CA645437E4B1721A0BD81EED7A7E84599FAB465028287
C:\Users\user\AppData\Local\Temp\delays.tmp	ISO-8859 text, with very long lines (65536), with no line terminators	F3AB4DCAA95698B12DC2E6428C72EA48	FE4BAEB1EC00B25C74406F5B48BCBDCDAA906656	23E43517EC34790C2A8F898383AB47D46738EB3FA241C736890095CEA791A2EF
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	45B4C82B8041BF0F9CCED0D6A18D151A	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by